Pre-Proxy-Type, Post-Proxy-Type
Hi, I'm using a freeRADIUS to proxy different realm to home servers. I need to use different rlm_modules for each realm during pre-proxy and post-proxy but I cannot realize how to set something like Autz-Type..i.e It could be perfect If users: DEFAULT Realm== "foo" , Pre-Proxy-Type := foo DEFAULT Realm== "bar" , Pre-Proxy-Type := bar and radiusd.conf: pre-proxy{ Pre-Proxy-Type foo{ rlm_foo1 rlm_foo2 } Pre-Proxy-Type bar{ rlm_bar1 rlm_bar2 } } At the moment pre-proxy/post-proxy only work for all the realms.no possibility to differentiate like autorize/authentication.. Maybe I'm wrong? -- Massimiliano Liccardo (maX) <[EMAIL PROTECTED]> jid:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key ID: D01F1CAD Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD "la velocità induce all'oblio, la lentezza al ricordo" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-Proxy-Type, Post-Proxy-Type
Alle 11:15, giovedì 10 febbraio 2005, Nicolas Baradakis ha scritto: > Alan DeKok wrote: > > Massimiliano Liccardo <[EMAIL PROTECTED]> wrote: > > > At the moment pre-proxy/post-proxy only work for all the realms.no > > > possibility to differentiate like autorize/authentication.. > > > Maybe I'm wrong? > > > > It works, it's just not well documented. > > Alan, I didn't manage to execute modules in {Pre,Post}-Proxy-Type > stanzas either. I reported this as bug #199 a few weeks ago. > > Looking at src/main/modules.c, the functions module_pre_proxy / > module_post_proxy (and the function module_preacct, too) don't have a > supplementary argument for the subcomponent name. right, I noticed that argument as 0 (zero)If I remember, it worked in freeRADIUS 0.9.1.. Looking at http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/doc/Autz-Type it seems to be removed Revision 1.9 / (download) - annotate - [select for diffs], Fri Sep 19 04:01:30 2003 UTC (16 months, 3 weeks ago) by phampson Branch: MAIN CVS Tags: release_1_0_2, release_1_0_1, release_1_0_0_pre3, release_1_0_0_pre2, release_1_0_0_pre1, release_1_0_0, release_1_0, HEAD Changes since 1.8: +2 -3 lines Diff to previous 1.8 (colored) Remove last vestiges of Pre-Acct/Pre-Proxy/Post-Proxy-Type. > > I was thinking it will not work for that reason, but perhaps I am > mistaken. -- Massimiliano Liccardo (maX) <[EMAIL PROTECTED]> jid:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key ID: D01F1CAD Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD "la velocità induce all'oblio, la lentezza al ricordo" pgpVOu6mNfean.pgp Description: PGP signature
Re: Pre-Proxy-Type, Post-Proxy-Type
Nicolas, thanks a lot for your tip...maybe could became a FAQ :) My problem is that I'm developing rml_modules on my own and if I use Autz-Type , I should write the pre/post-proxy code into the authorization callback of any module instead of pre-proxy/post-proxy (yes, pre-proxy is just another name of authorization ) Alle 12:11, giovedì 10 febbraio 2005, Nicolas Baradakis ha scritto: > I need exactly the same thing as you, and I found a workaround which > doesn't use {Pre,Post}-Proxy-Type. > > Put "post_proxy_authorize = yes" in your proxy.conf file. This will > make the request run the authorize section twice: one time when the > request comes from the NAS, and one more time when the request comes > from the realm server. > > In the authorize section, it's very important that you execute the > rlm_files module *before* rlm_realm. > > authorize { > preprocess > files > realm > > Autz-Type pre-proxy.foo.net { > ... > } > > Autz-Type post-proxy.foo.net{ > ... > } > > Autz-Type pre-proxy.bar.com { > ... > } > > Autz-Type pre-proxy.bar.com { > ... > } > ... > } > > In the users file, you know if the you handle the request coming from > the NAS (pre-proxy) or the realm server (post-proxy) by testing the > variable "Realm". The order of the lines is important there, too. > > DEFAULT Realm == "foo.net", Autz-Type := post-proxy.foo.net > > DEFAULT User-Name =~ "@foo\\.net", Autz-Type := pre-proxy.foo.net > > ... > > You should manage to handle your setup like this, but it is nothing > more that a workaround. it works -> it's good! > The configuration is error prone, and the > post_proxy_authorize is a deprecated option. I agree. -- Massimiliano Liccardo (maX) <[EMAIL PROTECTED]> jid:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key ID: D01F1CAD Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD "la velocità induce all'oblio, la lentezza al ricordo" pgptQNB9r9bXM.pgp Description: PGP signature
Re: Pre-Proxy-Type, Post-Proxy-Type
Alle 12:34, giovedì 10 febbraio 2005, Massimiliano Liccardo ha scritto: > My problem is that I'm developing rml_modules on my own and if I use > Autz-Type , I should write the pre/post-proxy code into the authorization > callback of any module instead of pre-proxy/post-proxy (yes, pre-proxy is > just another name of authorization ) > and I should differentiate pre-proxy from post-proxy (how?) or develop two rlm_modules doing pre-proxy (first) and post-proxy (second) as authorization :( -- Massimiliano Liccardo (maX) <[EMAIL PROTECTED]> jid:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key ID: D01F1CAD Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD "la velocità induce all'oblio, la lentezza al ricordo" pgpC04zRXwO1D.pgp Description: PGP signature
Re: Pre-Proxy-Type, Post-Proxy-Type
Alle 18:44, giovedì 10 febbraio 2005, Alan DeKok ha scritto: > Please do not put pre-proxy code into the "authorize" section of a > module. It's just a temporary workaround. > We will fix the server. fine! > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Massimiliano Liccardo (maX) <[EMAIL PROTECTED]> jid:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key ID: D01F1CAD Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD "la velocità induce all'oblio, la lentezza al ricordo" pgpS7FOIbGmpO.pgp Description: PGP signature
Re: Pre-Proxy-Type, Post-Proxy-Type
Alle 22:21, sabato 12 febbraio 2005, Nicolas Baradakis ha scritto: > > I know you're busy with other things (1.0.2 release, rlm_policy...), > that's why, if you agree with that, I'll look at this issue more > closely and try to provide a patch in a few days. great !! Maybe cuold be useful to patch the rlm_files in order to provide a prost_proxy file as the pre_proxy one? Could be useful for setting the Post-Proxy-Type without re-passing the authorize section and using rlm_files directy into Post-Proxy, i.e. modules { .. # Livingston-style 'users' file # files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile =${confdir}/pre_proxyusers postproxy_usersfile =${confdir}/post_proxyusers # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } } post-proxy{ files # provide Prost-Proxy-Type Post-Proxy-Type foo{ foo1 foo2 } Post-Proxy-Type bar{ bar1 bar2 } The patch is very silly, could submit if useful. -- Massimiliano Liccardo (maX) <[EMAIL PROTECTED]> jid:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key ID: D01F1CAD Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD "la velocità induce all'oblio, la lentezza al ricordo" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-Proxy-Type, Post-Proxy-Type
Alle 15:17, domenica 13 febbraio 2005, Nicolas Baradakis ha scritto: > > Post-Proxy-Type is a check item, therefore I think you can set it in > the first pass of authorization, then the server remember it when it > receives the reply from the realm server. good I noticed the freeRADIUS 1.0.2 release without your patch...what a pity :( -- Massimiliano Liccardo (maX) <[EMAIL PROTECTED]> jid:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key ID: D01F1CAD Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD "la velocità induce all'oblio, la lentezza al ricordo" pgp7ks9hnnVlk.pgp Description: PGP signature
remove AV pairs from proxy request ?
hi all, I need to remove in a configurable manner some AV pairs from my proxy request, in order to send to a home server just a "secure" AV pairs subset. It looks very close to the rlm_attr_filter but in the opposite pathany idea? thanx! -- Massimiliano Liccardo (maX) <[EMAIL PROTECTED]> jid:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key ID: D01F1CAD Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD "la velocità induce all'oblio, la lentezza al ricordo" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
request->proxy & request->proxy_reply
hi folks, I should write a module that strips/modifies AV pairs from a proxy reply according to the AV pairs prior sent into the originated request. My doubt is: the AV request->proxy are still valid during post-proxy stage of a rlm_module? -- Massimiliano Liccardo (maX) <[EMAIL PROTECTED]> jid:[EMAIL PROTECTED] sip:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key ID: D01F1CAD Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD "la velocità induce all'oblio, la lentezza al ricordo" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
stripping av pairs
hi, i want strip an AV pair only from my proxy-reply. If I use rlm_attr_filter, I have to list all the AV pairs "good". Any idea? -- Massimiliano Liccardo (maX) <[EMAIL PROTECTED]> jid:[EMAIL PROTECTED] sip:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key ID: D01F1CAD Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD "la velocità induce all'oblio, la lentezza al ricordo" pgpLtEyX5ti6y.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html