Romeo Mihalcea wrote: > I successfully managed to deploy a freeradius server and created a > python script which does an additional check on the user (incoming > request). I checked the internet (resources for freeradius are pretty > horrible)
Well... the server comes with a lot of documentation. Searching random pages on the internet isn't a good idea. > and only found a thread which explains some basics about > adding a python script to the process. That isn't well documented because no one has contributed documentation. > Right now I have it inside /etc/freeradius/sites-enabled/default under > the authorize section: > > update control { > Auth-Type := `/usr/bin/python /etc/test.py '%{User-Name}' > '%{User-Password}'` > } While that works, I wouldn't recommend doing it. It's just using python as an external script. i.e. there's no python-specific documentation needed. You could use `/bin/echo Accept` to get much the same affect. > My test.py file spits Reject or Accept. I also have sql authentication No... the SQL module does authorization checks. They really are different, and the difference is important. See the wiki for more discussion on this topic. > setup with freeradius and the problem is that, if my script returns > Accept any other authorization request under is ignored; response will > still be an Accept even if sql check rejects the user. Yes, that's what you told it to do. Which is why the FAQ says to *not* set Auth-Type. It's almost always wrong. > From what I understand I should pass a noop instead of Accept to allow > freeradius to continue and only pass Reject if I need to reject the user > but If I respond with noop the server complains (probably because it > expects a reply for Auth-Type as I coded it). No. "noop" isn't an authentication type. You're mixing multiple topics without a clear understanding of any of them. > Someone on serverfault suggested I shouldnt use unlang to call a python > script and I should use rlm_python but I really have no idea how to even > start calling my script. > > Any ideas? Maybe I need to add my code to the Authentication. section? How? What you want to do? Please explain what you have, and what you want. Right now you're describing a "solution" that doesn't work. You're not describing a problem. There's really no point in trying to fix the solution until the problem is clear. If we do, we'll be stuck on miscommunication and misunderstanding. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html