Romeo Mihalcea wrote:
> I successfully managed to deploy a freeradius server and created a
> python script which does an additional check on the user (incoming
> request). I checked the internet (resources for freeradius are pretty
> horrible)

  Well... the server comes with a lot of documentation.  Searching
random pages on the internet isn't a good idea.

> and only found a thread which explains some basics about
> adding a python script to the process.

  That isn't well documented because no one has contributed documentation.

> Right now I have it inside /etc/freeradius/sites-enabled/default under
> the authorize section:
> 
> update control {
>        Auth-Type := `/usr/bin/python /etc/test.py '%{User-Name}'
> '%{User-Password}'`
> }

  While that works, I wouldn't recommend doing it.  It's just using
python as an external script.  i.e. there's no python-specific
documentation needed.  You could use `/bin/echo Accept` to get much the
same affect.

> My test.py file spits Reject or Accept. I also have sql authentication

  No... the SQL module does authorization checks.  They really are
different, and the difference is important.  See the wiki for more
discussion on this topic.

> setup with freeradius and the problem is that, if my script returns
> Accept any other authorization request under is ignored; response will
> still be an Accept even if sql check rejects the user.

  Yes, that's what you told it to do.  Which is why the FAQ says to
*not* set Auth-Type.  It's almost always wrong.

> From what I understand I should pass a noop instead of Accept to allow
> freeradius to continue and only pass Reject if I need to reject the user
> but If I respond with noop the server complains (probably because it
> expects a reply for Auth-Type as I coded it).

  No.  "noop" isn't an authentication type.  You're mixing multiple
topics without a clear understanding of any of them.

> Someone on serverfault suggested I shouldnt use unlang to call a python
> script and I should use rlm_python but I really have no idea how to even
> start calling my script.
> 
> Any ideas? Maybe I need to add my code to the Authentication. section? How?

  What you want to do?  Please explain what you have, and what you want.

  Right now you're describing a "solution" that doesn't work.  You're
not describing a problem.  There's really no point in trying to fix the
solution until the problem is clear.  If we do, we'll be stuck on
miscommunication and misunderstanding.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to