Romeo Mihalcea wrote:
> I successfully managed to deploy a freeradius server and created a
> python script which does an additional check on the user (incoming
> request). I checked the internet (resources for freeradius are pretty
> horrible)
Well... the server comes with a lot of documentation. Searching
random pages on the internet isn't a good idea.
> and only found a thread which explains some basics about
> adding a python script to the process.
That isn't well documented because no one has contributed documentation.
> Right now I have it inside /etc/freeradius/sites-enabled/default under
> the authorize section:
>
> update control {
> Auth-Type := `/usr/bin/python /etc/test.py '%{User-Name}'
> '%{User-Password}'`
> }
While that works, I wouldn't recommend doing it. It's just using
python as an external script. i.e. there's no python-specific
documentation needed. You could use `/bin/echo Accept` to get much the
same affect.
> My test.py file spits Reject or Accept. I also have sql authentication
No... the SQL module does authorization checks. They really are
different, and the difference is important. See the wiki for more
discussion on this topic.
> setup with freeradius and the problem is that, if my script returns
> Accept any other authorization request under is ignored; response will
> still be an Accept even if sql check rejects the user.
Yes, that's what you told it to do. Which is why the FAQ says to
*not* set Auth-Type. It's almost always wrong.
> From what I understand I should pass a noop instead of Accept to allow
> freeradius to continue and only pass Reject if I need to reject the user
> but If I respond with noop the server complains (probably because it
> expects a reply for Auth-Type as I coded it).
No. "noop" isn't an authentication type. You're mixing multiple
topics without a clear understanding of any of them.
> Someone on serverfault suggested I shouldnt use unlang to call a python
> script and I should use rlm_python but I really have no idea how to even
> start calling my script.
>
> Any ideas? Maybe I need to add my code to the Authentication. section? How?
What you want to do? Please explain what you have, and what you want.
Right now you're describing a "solution" that doesn't work. You're
not describing a problem. There's really no point in trying to fix the
solution until the problem is clear. If we do, we'll be stuck on
miscommunication and misunderstanding.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
