Pre-Proxy-Type, Post-Proxy-Type
Hi,
I'm using a freeRADIUS to proxy different realm to home servers.
I need to use different rlm_modules for each realm during pre-proxy and
post-proxy but I cannot realize how to set something like Autz-Type..i.e It
could be perfect If
users:
DEFAULT Realm== "foo" , Pre-Proxy-Type := foo
DEFAULT Realm== "bar" , Pre-Proxy-Type := bar
and
radiusd.conf:
pre-proxy{
Pre-Proxy-Type foo{
rlm_foo1
rlm_foo2
}
Pre-Proxy-Type bar{
rlm_bar1
rlm_bar2
}
}
At the moment pre-proxy/post-proxy only work for all the realms.no
possibility to differentiate like autorize/authentication..
Maybe I'm wrong?
--
Massimiliano Liccardo (maX) <[EMAIL PROTECTED]>
jid:[EMAIL PROTECTED]
GnuPG public key available on wwwkeys.eu.pgp.net
Key ID: D01F1CAD
Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD
"la velocità induce all'oblio,
la lentezza al ricordo"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-Proxy-Type, Post-Proxy-Type
Alle 11:15, giovedì 10 febbraio 2005, Nicolas Baradakis ha scritto:
> Alan DeKok wrote:
> > Massimiliano Liccardo <[EMAIL PROTECTED]> wrote:
> > > At the moment pre-proxy/post-proxy only work for all the realms.no
> > > possibility to differentiate like autorize/authentication..
> > > Maybe I'm wrong?
> >
> > It works, it's just not well documented.
>
> Alan, I didn't manage to execute modules in {Pre,Post}-Proxy-Type
> stanzas either. I reported this as bug #199 a few weeks ago.
>
> Looking at src/main/modules.c, the functions module_pre_proxy /
> module_post_proxy (and the function module_preacct, too) don't have a
> supplementary argument for the subcomponent name.
right, I noticed that argument as 0 (zero)If I remember, it worked in
freeRADIUS 0.9.1..
Looking at http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/doc/Autz-Type
it seems to be removed
Revision 1.9 / (download) - annotate - [select for diffs], Fri Sep 19 04:01:30
2003 UTC (16 months, 3 weeks ago) by phampson
Branch: MAIN
CVS Tags: release_1_0_2, release_1_0_1, release_1_0_0_pre3,
release_1_0_0_pre2, release_1_0_0_pre1, release_1_0_0, release_1_0, HEAD
Changes since 1.8: +2 -3 lines
Diff to previous 1.8 (colored)
Remove last vestiges of Pre-Acct/Pre-Proxy/Post-Proxy-Type.
>
> I was thinking it will not work for that reason, but perhaps I am
> mistaken.
--
Massimiliano Liccardo (maX) <[EMAIL PROTECTED]>
jid:[EMAIL PROTECTED]
GnuPG public key available on wwwkeys.eu.pgp.net
Key ID: D01F1CAD
Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD
"la velocità induce all'oblio,
la lentezza al ricordo"
pgpVOu6mNfean.pgp
Description: PGP signature
Re: Pre-Proxy-Type, Post-Proxy-Type
Nicolas,
thanks a lot for your tip...maybe could became a FAQ :)
My problem is that I'm developing rml_modules on my own and if I use
Autz-Type , I should write the pre/post-proxy code into the authorization
callback of any module instead of pre-proxy/post-proxy (yes, pre-proxy is
just another name of authorization )
Alle 12:11, giovedì 10 febbraio 2005, Nicolas Baradakis ha scritto:
> I need exactly the same thing as you, and I found a workaround which
> doesn't use {Pre,Post}-Proxy-Type.
>
> Put "post_proxy_authorize = yes" in your proxy.conf file. This will
> make the request run the authorize section twice: one time when the
> request comes from the NAS, and one more time when the request comes
> from the realm server.
>
> In the authorize section, it's very important that you execute the
> rlm_files module *before* rlm_realm.
>
> authorize {
> preprocess
> files
> realm
>
> Autz-Type pre-proxy.foo.net {
> ...
> }
>
> Autz-Type post-proxy.foo.net{
> ...
> }
>
> Autz-Type pre-proxy.bar.com {
> ...
> }
>
> Autz-Type pre-proxy.bar.com {
> ...
> }
> ...
> }
>
> In the users file, you know if the you handle the request coming from
> the NAS (pre-proxy) or the realm server (post-proxy) by testing the
> variable "Realm". The order of the lines is important there, too.
>
> DEFAULT Realm == "foo.net", Autz-Type := post-proxy.foo.net
>
> DEFAULT User-Name =~ "@foo\\.net", Autz-Type := pre-proxy.foo.net
>
> ...
>
> You should manage to handle your setup like this, but it is nothing
> more that a workaround.
it works -> it's good!
> The configuration is error prone, and the
> post_proxy_authorize is a deprecated option.
I agree.
--
Massimiliano Liccardo (maX) <[EMAIL PROTECTED]>
jid:[EMAIL PROTECTED]
GnuPG public key available on wwwkeys.eu.pgp.net
Key ID: D01F1CAD
Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD
"la velocità induce all'oblio,
la lentezza al ricordo"
pgptQNB9r9bXM.pgp
Description: PGP signature
Re: Pre-Proxy-Type, Post-Proxy-Type
Alle 12:34, giovedì 10 febbraio 2005, Massimiliano Liccardo ha scritto: > My problem is that I'm developing rml_modules on my own and if I use > Autz-Type , I should write the pre/post-proxy code into the authorization > callback of any module instead of pre-proxy/post-proxy (yes, pre-proxy is > just another name of authorization ) > and I should differentiate pre-proxy from post-proxy (how?) or develop two rlm_modules doing pre-proxy (first) and post-proxy (second) as authorization :( -- Massimiliano Liccardo (maX) <[EMAIL PROTECTED]> jid:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key ID: D01F1CAD Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD "la velocità induce all'oblio, la lentezza al ricordo" pgpC04zRXwO1D.pgp Description: PGP signature
Re: Pre-Proxy-Type, Post-Proxy-Type
Alle 18:44, giovedì 10 febbraio 2005, Alan DeKok ha scritto: > Please do not put pre-proxy code into the "authorize" section of a > module. It's just a temporary workaround. > We will fix the server. fine! > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Massimiliano Liccardo (maX) <[EMAIL PROTECTED]> jid:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key ID: D01F1CAD Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD "la velocità induce all'oblio, la lentezza al ricordo" pgpS7FOIbGmpO.pgp Description: PGP signature
Re: Pre-Proxy-Type, Post-Proxy-Type
Alle 22:21, sabato 12 febbraio 2005, Nicolas Baradakis ha scritto:
>
> I know you're busy with other things (1.0.2 release, rlm_policy...),
> that's why, if you agree with that, I'll look at this issue more
> closely and try to provide a patch in a few days.
great !!
Maybe cuold be useful to patch the rlm_files in order to provide a prost_proxy
file as the pre_proxy one? Could be useful for setting the Post-Proxy-Type
without re-passing the authorize section and using rlm_files directy into
Post-Proxy, i.e.
modules {
..
# Livingston-style 'users' file
#
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile =${confdir}/pre_proxyusers
postproxy_usersfile =${confdir}/post_proxyusers
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
}
post-proxy{
files # provide Prost-Proxy-Type
Post-Proxy-Type foo{
foo1
foo2
}
Post-Proxy-Type bar{
bar1
bar2
}
The patch is very silly, could submit if useful.
--
Massimiliano Liccardo (maX) <[EMAIL PROTECTED]>
jid:[EMAIL PROTECTED]
GnuPG public key available on wwwkeys.eu.pgp.net
Key ID: D01F1CAD
Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD
"la velocità induce all'oblio,
la lentezza al ricordo"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-Proxy-Type, Post-Proxy-Type
Alle 15:17, domenica 13 febbraio 2005, Nicolas Baradakis ha scritto: > > Post-Proxy-Type is a check item, therefore I think you can set it in > the first pass of authorization, then the server remember it when it > receives the reply from the realm server. good I noticed the freeRADIUS 1.0.2 release without your patch...what a pity :( -- Massimiliano Liccardo (maX) <[EMAIL PROTECTED]> jid:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key ID: D01F1CAD Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD "la velocità induce all'oblio, la lentezza al ricordo" pgp7ks9hnnVlk.pgp Description: PGP signature
remove AV pairs from proxy request ?
hi all, I need to remove in a configurable manner some AV pairs from my proxy request, in order to send to a home server just a "secure" AV pairs subset. It looks very close to the rlm_attr_filter but in the opposite pathany idea? thanx! -- Massimiliano Liccardo (maX) <[EMAIL PROTECTED]> jid:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key ID: D01F1CAD Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD "la velocità induce all'oblio, la lentezza al ricordo" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
request->proxy & request->proxy_reply
hi folks, I should write a module that strips/modifies AV pairs from a proxy reply according to the AV pairs prior sent into the originated request. My doubt is: the AV request->proxy are still valid during post-proxy stage of a rlm_module? -- Massimiliano Liccardo (maX) <[EMAIL PROTECTED]> jid:[EMAIL PROTECTED] sip:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key ID: D01F1CAD Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD "la velocità induce all'oblio, la lentezza al ricordo" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
stripping av pairs
hi, i want strip an AV pair only from my proxy-reply. If I use rlm_attr_filter, I have to list all the AV pairs "good". Any idea? -- Massimiliano Liccardo (maX) <[EMAIL PROTECTED]> jid:[EMAIL PROTECTED] sip:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key ID: D01F1CAD Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD "la velocità induce all'oblio, la lentezza al ricordo" pgpLtEyX5ti6y.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
