inside Auth-Type has different rules

Fri, 01 Oct 2010 06:37:36 -0700 

Hello,

I have following configuration:

authenticate {
  Auth-Type CHAP {
    chap
    db_backend
    chap {
      ok = 1
    }
    db_backend
  }
}
First chap module call should handle cases when Cleartext-Password already set (for example, by files module). If there is Cleartext-Password, chap module returns *ok* or *reject*, so authentication should stop on these return codes. If there is no Cleartext-Password, chap module returns *invalid*, so authentication should proceed further.
db_backend is a custom module that uses backend database. First db_backend call returns: 
- *ok* if backend database do not want password checking,
- *reject* if backend database want to reject authentication,
- *handled* if Proxy-To-Realm returned from backend database,
- *updated* if Cleartext-Password returned from backend database.
Authentication should stop on *ok*, *reject*, and *handled* return codes, and should proceed on *updated* return code.
Second chap module call should check CHAP-Password against Cleartext-Password. Return code *ok* handling changed to proceed with authentication if password is correct.
Second db_backend call returns *ok*, *reject*, or *handled* like first db_backend call. 

In freeradius 1.1.x this configuration works fine.
In freeradius 2.1.x it doesn't work.
I found that in freeradius 2.0.2 return code handling in Auth-Type subsections was changed. In freeradius 1.1.x return code handling was: 

- return notfound, ok, reject, userlock, handled
- save noop, updated, fail, invalid (all with priority 1)
In freeradius 2.1.x (starting with 2.0.2) return code handling is identical to authorize section: 

- save notfound (prio 1), noop (prio 2), ok (prio 3), updated (prio 4)
- return fail, reject, userlock, invalid, handled

This change was committed by commit id 4719ed0ce65f19586364.
What is the reason for the change? It changes requirements for module return codes. Moreover, return code handling was changed only in Auth-Type subsections, not in authenticate section. When module's authenticate hook is called module has no clue is it called from authenticate section or from Auth-Type subsection. 

Regards,
Iliya Peregoudov

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to