Re: rlm_exec and proxy request paradox
So I've done a little more digging and also updated my installation to
2.1.11. I admittedly am not a C programmer; so please pardon any
misunderstandings (or bad suggestions) may have. My hope is this
research might help somebody help me with the issue at hand.
Beginning on line 209 of src/main/auth.c is the following snippet of
code triggering the access-accept.
/*
* This means we have a proxy reply or an accept
* and it wasn't rejected in the above loop. So
* that means it is accepted and we do no further
* authentication
*/
if ((auth_type == PW_AUTHTYPE_ACCEPT)
#ifdef WITH_PROXY
|| (request->proxy)
#endif
) {
RDEBUG2("Auth-Type = Accept, accepting the user");
return 0;
}
If I comment out the return 0; line, all works well for me although it
does trigger a warning. Even if the proxied request is accepted by
the destination radius server, my exec script exits code 1 and the
request is ultimately rejected. Given my understanding of the
rlm_exec module, I believe it should be rejecting the proxied request
in my original email. Would it make sense here to extend this section
of code so it acknowledges the response from rlm_exec before accepting
the user? Or having the rlm_exec code unset auth_type from being
PW_AUTHTYPE_ACCEPT so this section never fires?
- N
On Fri, Jun 17, 2011 at 3:11 PM, Nathan M wrote:
> Hello,
>
> I'm in the process of updating old 1.x freeradius servers to 2.1.10.
> We have scripts which fire to verify some local verifications and
> return some attributes which get passed along with the response to the
> NAS. The old method used Exec-Program-Wait in the users file;
> however, per recommendation in docs and list I'm converting things
> over to use the newer rlm_exec method.
>
> The new method works great for local authentication; however, I'm
> getting stumped on requests which are proxied to another radius server
> which accepts the request. Process of events:
>
> 1. Auth request is proxied to 3rd party server, which returns an Access-Accept
>
> rad_recv: Access-Accept packet from host 10.0.0.243 port 1645, id=184,
> length=37
> Framed-Protocol = PPP
> Framed-Compression = Van-Jacobson-TCP-IP
> Proxy-State = 0x313238
>
> 2. As configured in post-proxy, visp_proxyauth is run. For the sake
> of simplicity visp_proxyauth executes a script which simply responds
> with exit 1 to mimic a failed local verification.
>
> # Executing section post-proxy from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group post-proxy {...}
> Exec-Program output:
> Exec-Program: returned: 1
> ++[visp_proxyauth] returns reject
> Found Auth-Type = Accept
> Auth-Type = Accept, accepting the user
>
> Problem, even though visp_proxyauth returns reject with exit 1, I
> believe the earlier Auth-Type = Accept from the response of the 3rd
> party radius server the request was proxied to is being used to accept
> the login.
>
> This differs from how 1.x acted in that if exec-program-wait returned
> exit 1 it would fail the request. My new install of 2.1.10 accepts
> the request which is not the desired behavior. I'm definitely open to
> modifying my config or exit codes to accommodate any differences
> introduced in 2.x.
>
> I've seemingly tried too many different configuration options and
> different tactics to try to make this work but seem to be stumped and
> looking for some outside perspective. My goal would be to ultimately
> reject the request if visp_proxyauth exits with return value 1 (user
> reject). Any assistance is greatly appreciated.
>
> - N
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec and 'No such file or directory' error
mark.le...@stfc.ac.uk wrote:
> I have the exec module enabled in the instantiate section of radiusd.conf and
> I have the following at the end of the authorize section in the
> sites-enabled/default file:
>
> if (control:Auth-Type == LDAP) {
> update control {
> Auth-Type = `%{exec:/etc/raddb/facilityUsers.pl
> %{control:Ldap-UserDn} %{control:Auth-Type}}`
Please read "man unlang".
What you have configured here is:
1) run the "exec" module to get some output via %{exec:...}
2) run the resulting data as a program via `...`
That's likely not what you want. Use double quotes instead of
back-quotes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec
On 07/08/2010 02:49 AM, Alan DeKok wrote: Hubert Kupper wrote: I used the RPMs from Suse, but the same error still occurs. OK... find out where the libraries are, and ensure that the dynamic linker can find them. try running ldconfig -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec
Hubert Kupper wrote: > I used the RPMs from Suse, but the same error still occurs. OK... find out where the libraries are, and ensure that the dynamic linker can find them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec
Am 07.07.2010 07:54, schrieb Alan DeKok:
Hubert Kupper wrote:
I have installed freeradius 2.1.9-0 on a SLES 11 64 bit machine.
From an RPM, or from source?
When I
try to start with freeradius -X then I get the following error:
radiusd: Instantiating modules
instantiate {
/etc/raddb/radiusd.conf[1384]: Failed to link to module 'rlm_exec': file
not found
I've searched the freeradius mailing archive but I didn't find an entry.
The modules can't be found. Use the RPMs supplied by Suse, they work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I used the RPMs from Suse, but the same error still occurs.
Best regards
Hubert
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec
Hubert Kupper wrote:
> I have installed freeradius 2.1.9-0 on a SLES 11 64 bit machine.
From an RPM, or from source?
> When I
> try to start with freeradius -X then I get the following error:
>
> radiusd: Instantiating modules
> instantiate {
> /etc/raddb/radiusd.conf[1384]: Failed to link to module 'rlm_exec': file
> not found
>
> I've searched the freeradius mailing archive but I didn't find an entry.
The modules can't be found. Use the RPMs supplied by Suse, they work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: rlm_exec wiki
On Mon, 15 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote: it would be much beter if there was a full delineation between 1.x and 2.x docs - the web is full of older resources that dont say what version their tweaks and info is good for. (nod) I don't know enough about the differences between 1.x and 2.x to say whether it would be better to have two complete document trees, like the apache server, or annotated with "applies to versions x-y" the way the postfix docs do it. I get the feeling that for the most part features have been *added* to FreeRADIUS, and very little removed. But is that actually the case? if i see one more config with Auth-Type = EAP I'll scream ;-) Had to look that one up. First hit on google explained it all LOL - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec wiki
On 15 June 2009, at 14:41, a.l.m.bu...@lboro.ac.uk wrote: Hi, (grin), but of course, if I want to write for the wiki, I'm going to have to install the latest release, to be sure what I write is valid for the most current context. Fortunately I have a test box for stuff like this. :) ..but to mirror wat you've ben saying - why not support 1.x fully on the wiki - theres plenty of 1.x installs out there and 1.x users who are forced into such a situation - eg because their enforced distro/repository policy means no building from source it would be much beter if there was a full delineation between 1.x and 2.x docs - the web is full of older resources that dont say what version their tweaks and info is good for. Thats actually a good idea. For example, during the initial introduction period for 2.x, there was nothing in the wiki about writing your own modules for 2.x. The existing page was only for 1.x. It didn't know about the existence of 2.x because it didn't exist when the page was written. As a result, anyone who was trying to use 2.x in the early days and wanted to write their own modules would have failed horribly. The 1.x instructions were not at all appropriate for 2.x. Since I only use FreeRadius for authenticating a small number of dial-in users, I didn't need to convert at all. 1.x would have been just fine for me probably longer than I will have dial- in users. I only did the conversion to be able to rewrite the module page for 2.x. Now both of them are there. However, by having 2 editions of each page, the top page would become enormous and difficult to handle. Making separate sections for each version would make it a lot easier for people during these transitions. There seems to be no end to Alan's imagination for new features. I expect a version 3.x in the near future. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec wiki
Hi, > (grin), but of course, if I want to write for the wiki, I'm going to have > to install the latest release, to be sure what I write is valid for the > most current context. Fortunately I have a test box for stuff like this. > :) ..but to mirror wat you've ben saying - why not support 1.x fully on the wiki - theres plenty of 1.x installs out there and 1.x users who are forced into such a situation - eg because their enforced distro/repository policy means no building from source it would be much beter if there was a full delineation between 1.x and 2.x docs - the web is full of older resources that dont say what version their tweaks and info is good for. if i see one more config with Auth-Type = EAP I'll scream ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec wiki
On Mon, 15 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote: I think the initial idea would be to document what/how you've used exec module to define an attribute - rlm_exec is quite bare on the wiki ;-) Uh, yeah, almost forgot, that was actually one of the places I looked before I posted on the list. :) I think before I write anything I will test my script a bit further and make sure that it has the complete functionality I expect. I'll be doing that this week. I'm gonna get a few shots for this next statement (grin), but of course, if I want to write for the wiki, I'm going to have to install the latest release, to be sure what I write is valid for the most current context. Fortunately I have a test box for stuff like this. :) Thanks. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec question
T Kid82 wrote: > 1. I have log incoming authentication requests set to yes but they do > not seem to be getting logged (in the radiusd.log file). Ideally I > would like to see the same level of verbosity as the radiusd -X mode > gives on standard out in my logs. Is there anyway to do that without > actually running the server in debug mode? No. > 2. Is there a config setting for locking out a user temporarily if > they make more than say 5 unsuccessful login attempts in a short time > span? No. This requires that the information is stored in a database. Use a script to read/write the relevant information to the database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec question
Anybody know about these two things that I asked?
1. I have log incoming authentication requests set to yes but they do
not seem to be getting logged (in the radiusd.log file). Ideally I
would like to see the same level of verbosity as the radiusd -X mode
gives on standard out in my logs. Is there anyway to do that without
actually running the server in debug mode?
2. Is there a config setting for locking out a user temporarily if
they make more than say 5 unsuccessful login attempts in a short time
span?
Thanks.
On Thu, Apr 17, 2008 at 1:15 AM, T Kid82 <[EMAIL PROTECTED]> wrote:
> Thank you Alan, your recommendation worked perfectly. It has
> permanently cured me of fleas :p
>
> Two other things I wanted to ask the experts on here.
> 1. I have log incoming authentication requests set to yes but they do
> not seem to be getting logged (in the radiusd.log file). Ideally I
> would like to see the same level of verbosity as the radiusd -X mode
> gives on standard out in my logs. Is there anyway to do that without
> actually running the server in debug mode?
>
>
> 2. Is there a config setting for locking out a user temporarily if
> they make more than say 5 unsuccessful login attempts in a short time
> span?
>
> Thanks again.
>
> -- Tauseef
>
>
>
> On Sun, Apr 13, 2008 at 11:32 PM, Alan DeKok <[EMAIL PROTECTED]> wrote:
> > T Kid82 wrote:
> > > First I added a files sub-section the modules section within
> radiusd.conf
> > >
> > > files {
> > > Auth-Type := Exec
> > > }
> >
> > There is already a "files" subsection. It configures the "users"
> > file. You should put the "Auth-Type" entry there, instead of in
> > radiusd.conf.
> >
> > Oh, and read the documentation for the "users" file.
> >
> > Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec question
Thank you Alan, your recommendation worked perfectly. It has
permanently cured me of fleas :p
Two other things I wanted to ask the experts on here.
1. I have log incoming authentication requests set to yes but they do
not seem to be getting logged (in the radiusd.log file). Ideally I
would like to see the same level of verbosity as the radiusd -X mode
gives on standard out in my logs. Is there anyway to do that without
actually running the server in debug mode?
2. Is there a config setting for locking out a user temporarily if
they make more than say 5 unsuccessful login attempts in a short time
span?
Thanks again.
-- Tauseef
On Sun, Apr 13, 2008 at 11:32 PM, Alan DeKok <[EMAIL PROTECTED]> wrote:
> T Kid82 wrote:
> > First I added a files sub-section the modules section within radiusd.conf
> >
> > files {
> > Auth-Type := Exec
> > }
>
> There is already a "files" subsection. It configures the "users"
> file. You should put the "Auth-Type" entry there, instead of in
> radiusd.conf.
>
> Oh, and read the documentation for the "users" file.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec question
T Kid82 wrote:
> First I added a files sub-section the modules section within radiusd.conf
>
> files {
> Auth-Type := Exec
> }
There is already a "files" subsection. It configures the "users"
file. You should put the "Auth-Type" entry there, instead of in
radiusd.conf.
Oh, and read the documentation for the "users" file.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec question
Hi Ivan,
I tried two variations.
First I added a files sub-section the modules section within radiusd.conf
files {
Auth-Type := Exec
}
and in the authorize section I put in
authorize {
preprocess
files
}
This is what I saw in the radius logs
User-Name = "tkid"
User-Password = "hlsearch"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1645
+- entering group authorize
++[preprocess] returns ok
++[files] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [tkid/hlsearch] (from client localhost port 1645)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> tkid
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Waking up in 4.9 seconds.
Cleaning up request 0 ID 79 with timestamp +20
Ready to process requests.
I also tried adding the DEFAULT as you asked
so i made an addition to the files module
files {
DEFAULT Auth-Type := Exec
}
I got a radiusd.conf syntax error
"Expecting section start brace '{' after "DEFAULT Auth-Type"
Let me know what else I need to get going here. It would be great if
you can let me know specifically where I have to add config settings
since I am not very familiar with freeradius yet.
I would really prefer to run a perl script rather than doing a .pm
since I tried that before and just kept getting too many errors. I'll
consider that once all the options of a perl script have been
exhausted.
Thanks everyone for your help.
-- Tauseef
2008/4/13 Ivan Kalik <[EMAIL PROTECTED]>:
> Add files to authorize and put DEFAULT Auth-Type := Exec in it.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 13/4/2008, "T Kid82" <[EMAIL PROTECTED]> piše:
>
>
>
> >Hi everyone,
> >
> >I am trying to accomplish a very simple task using RADIUS as an
> >authentication proxy.
> >All I need it to do is use the username/password combo sent in, run a
> >perl script to validate those credentials and return a pass or fail.
> >I have my perl script setup to return all the right codes as the
> >radiusd.conf specifies. ( < 0 : fail, 0 : ok , etc...)
> >
> >I have added the following changes to the radiusd.conf file,
> >everything else is as it is out of the box.
> >
> > authorize {
> > preprocess
> > exec
> > }
> >
> > authenticate {
> > Auth-Type Exec {
> > exec
> > }
> > }
> >
> >In the modules section I added my program name / perl script (the
> >location is just a temp thing to get this going):
> >
> >exec {
> > program = "/usr/bin/authenticate.pl"
> > wait = yes
> > input_pairs = request
> > output_pairs = reply
> >
> > }
> >
> >When i run radtest, this is what I see in the logs
> >
> >User-Name = "tkid"
> >User-Password = "hlsearch"
> >NAS-IP-Address = 127.0.0.1
> >NAS-Port = 1645
> >+- entering group authorize
> >++[preprocess] returns ok
> >Exec-Program output: Error: Password check passed
> >Exec-Program: returned: 0
> >++[exec] returns ok
> >auth: No authenticate method (Auth-Type) configuration found for the
> >request: Rejecting the user
> >auth: Failed to validate the user.
> >Login incorrect: [tkid/hlsearch] (from client localhost port 1645)
> > Found Post-Auth-Type Reject
> >+- entering group REJECT
> >expand: %{User-Name} -> tkid
> >attr_filter: Matched entry DEFAULT at line 11
> >++[attr_filter.access_reject] returns updated
> >Finished request 0.
> >Going to the next request
> >Waking up in 4.9 seconds.
> >Cleaning up request 0 ID 149 with timestamp +10
> >Ready to process requests.
> >
> >
> >
> >In essence, all I want is authentication and not authorization. How do
> >I accomplish that here?
> >
> >Thanks for your help in advance.
> >Thanks,
> >-- Tauseef
> >-
> >List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec question
Hi,
> authorize {
> preprocess
> exec
> }
>
> authenticate {
> Auth-Type Exec {
> exec
> }
> }
remove all those 'exec' and replace them with 'perl', then
read experimental.conf and edit accordingly to activate
the perl module you've written. dont worry about the experimental
name - its stable and well tested.
then read the example supplied perl example and adapt for
your own use - ensure you have an authorize() and authenticate()
subroutine defined.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec question
Add files to authorize and put DEFAULT Auth-Type := Exec in it.
Ivan Kalik
Kalik Informatika ISP
Dana 13/4/2008, "T Kid82" <[EMAIL PROTECTED]> piše:
>Hi everyone,
>
>I am trying to accomplish a very simple task using RADIUS as an
>authentication proxy.
>All I need it to do is use the username/password combo sent in, run a
>perl script to validate those credentials and return a pass or fail.
>I have my perl script setup to return all the right codes as the
>radiusd.conf specifies. ( < 0 : fail, 0 : ok , etc...)
>
>I have added the following changes to the radiusd.conf file,
>everything else is as it is out of the box.
>
> authorize {
> preprocess
> exec
> }
>
> authenticate {
> Auth-Type Exec {
> exec
> }
> }
>
>In the modules section I added my program name / perl script (the
>location is just a temp thing to get this going):
>
>exec {
> program = "/usr/bin/authenticate.pl"
> wait = yes
> input_pairs = request
> output_pairs = reply
>
> }
>
>When i run radtest, this is what I see in the logs
>
>User-Name = "tkid"
>User-Password = "hlsearch"
>NAS-IP-Address = 127.0.0.1
>NAS-Port = 1645
>+- entering group authorize
>++[preprocess] returns ok
>Exec-Program output: Error: Password check passed
>Exec-Program: returned: 0
>++[exec] returns ok
>auth: No authenticate method (Auth-Type) configuration found for the
>request: Rejecting the user
>auth: Failed to validate the user.
>Login incorrect: [tkid/hlsearch] (from client localhost port 1645)
> Found Post-Auth-Type Reject
>+- entering group REJECT
>expand: %{User-Name} -> tkid
>attr_filter: Matched entry DEFAULT at line 11
>++[attr_filter.access_reject] returns updated
>Finished request 0.
>Going to the next request
>Waking up in 4.9 seconds.
>Cleaning up request 0 ID 149 with timestamp +10
>Ready to process requests.
>
>
>
>In essence, all I want is authentication and not authorization. How do
>I accomplish that here?
>
>Thanks for your help in advance.
>Thanks,
>-- Tauseef
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec use
> Yes... but from the debug output you posted, it looks like you deleted > everything *else* The debug output I pasted was not in its entirety. I did not paste any preceding output since it looked fine to me. No errors. > Could you explain why you think that? None of the documentation or > default configuration files say that. Note that the module return code > "OK" or "success" does NOT mean "let the user in without checking their > password". That is a revelation to me. > You set Auth-Type just like setting any other attribute. See "man > unlang" for examples. I will definitely look through the documentation. Is there a specfic Auth-Type that would be appropriate for my simple case. I guess what I am asking is, can you give me an example of an Auth-Type other than the Perl example? On Wed, Mar 19, 2008 at 1:59 PM, Alan DeKok <[EMAIL PROTECTED]> wrote: > T Kid82 wrote: > > I got this from the comments in exec-program-wait (which has been > > deprecated) where it explains how to use rlm_exec. It says, > > > > "An entry for the module 'rlm_exec' must be added to the file > > 'radiusd.conf' with the path of the script." > > Yes... but from the debug output you posted, it looks like you deleted > everything *else*. > > > >> Why would this let all users through? > > I thought that since I am always returning 3 to the server, that this > > would let all users pass through. > > Could you explain why you think that? None of the documentation or > default configuration files say that. Note that the module return code > "OK" or "success" does NOT mean "let the user in without checking their > password". > > > >> you didn't set Auth-Type > > Where do I set the Auth-Type. Can you provide a sample code snippet on > > how to do this? Or perhaps a link to the doc. > > You set Auth-Type just like setting any other attribute. See "man > unlang" for examples. > > > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec use
T Kid82 wrote: >> Could you explain why you think that? None of the documentation or >> default configuration files say that. Note that the module return code >> "OK" or "success" does NOT mean "let the user in without checking their >> password". > > That is a revelation to me. A simple explanation: There are many modules that are executed for each authentication request. If "ok" meant "let the user in", then *any* time a module worked, it would let the user in. This just doesn't make sense. >> You set Auth-Type just like setting any other attribute. See "man >> unlang" for examples. > > I will definitely look through the documentation. Is there a specfic > Auth-Type that would be appropriate for my simple case. I guess what I > am asking is, can you give me an example of an Auth-Type other than > the Perl example? If you want your "exec" module to be run, create an Auth-Type for it. This is the purpose of the Auth-Type sub-sections of "authenticate". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec use
T Kid82 wrote: > I got this from the comments in exec-program-wait (which has been > deprecated) where it explains how to use rlm_exec. It says, > > "An entry for the module 'rlm_exec' must be added to the file > 'radiusd.conf' with the path of the script." Yes... but from the debug output you posted, it looks like you deleted everything *else*. >> Why would this let all users through? > I thought that since I am always returning 3 to the server, that this > would let all users pass through. Could you explain why you think that? None of the documentation or default configuration files say that. Note that the module return code "OK" or "success" does NOT mean "let the user in without checking their password". >> you didn't set Auth-Type > Where do I set the Auth-Type. Can you provide a sample code snippet on > how to do this? Or perhaps a link to the doc. You set Auth-Type just like setting any other attribute. See "man unlang" for examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec use
On Mar 19, 2008, at 11:34, T Kid82 wrote:
You have put significant effort into butchering the default
configuration. Why?
I got this from the comments in exec-program-wait (which has been
deprecated) where it explains how to use rlm_exec. It says,
"An entry for the module 'rlm_exec' must be added to the file
'radiusd.conf' with the path of the script."
authorize {
...
exec
...
}
I also added
exec {
program = "/usr/local/etc/raddb/authenticate"
wait = yes
input_pairs = request
output_pairs = reply
}
to my radiusd.conf which is also from the comments in exec-program-
wait
Why would this let all users through?
I thought that since I am always returning 3 to the server, that this
would let all users pass through.
you didn't set Auth-Type
Where do I set the Auth-Type. Can you provide a sample code snippet on
how to do this? Or perhaps a link to the doc.
If you think this isn't necessary, then you need to spend more time
understanding how the server works.
I dont know either way. Thats why I decided to mail the list. I have
looked through quite a bit of documentation but I didnt find much on
this particular module
Its not obvious what you are really trying to accomplish. However, I
suspect you would like to use your own special criteria for
determining if access should be permitted. rlm_exec is a very
inefficent way to do that. You can make it work, but it will require
extensive forks and perform rather poorly. rlm_perl works a whole lot
better. However, if you are really concerned about performance, you
should consider rolling your own module. There is an example of how
to do that in the wiki. That will give you the best performance as
you will not incur the perl overhead either.
There is a really big difference between authorization and
authentication modules. Creating an authorization module is probably
all you need to do. Authentication modules require much more than
just including them in the list of authentication modules. I
understand that you also might have to modify the base radiusd code
for them in addition to creating a module that requires some very
special structuring. Freeradius separates the concepts of
authentication from authorization to relieve you of the details of
some of the very complex authentication schemes. Generally all you
need to deal with is authorization. If you use the default
authentication setup, radiusd will figure out which method to use and
take care of it.
If you are going to make major mods to the configuration, you will
need to start reading the source code. There just isn't that much
documented beyond that.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec use
> You have put significant effort into butchering the default
configuration. Why?
I got this from the comments in exec-program-wait (which has been
deprecated) where it explains how to use rlm_exec. It says,
"An entry for the module 'rlm_exec' must be added to the file
'radiusd.conf' with the path of the script."
authorize {
...
exec
...
}
I also added
exec {
program = "/usr/local/etc/raddb/authenticate"
wait = yes
input_pairs = request
output_pairs = reply
}
to my radiusd.conf which is also from the comments in exec-program-wait
> Why would this let all users through?
I thought that since I am always returning 3 to the server, that this
would let all users pass through.
> you didn't set Auth-Type
Where do I set the Auth-Type. Can you provide a sample code snippet on
how to do this? Or perhaps a link to the doc.
> If you think this isn't necessary, then you need to spend more time
> understanding how the server works.
I dont know either way. Thats why I decided to mail the list. I have
looked through quite a bit of documentation but I didnt find much on
this particular module
On Wed, Mar 19, 2008 at 1:17 AM, Alan DeKok <[EMAIL PROTECTED]> wrote:
> T Kid82 wrote:
> > I have been trying to get RADIUS to run a perl script which would
> > authenticate users (and yes I have tried rlm_perl but I decided
> > against it).
>
> Why? It is *much* more efficient than exec'ing a program.
> ...
>
> > Exec-Program output:
> > Exec-Program: returned: 3
> > ++[exec] returns ok
> > auth: No authenticate method (Auth-Type) configuration found for the
> > request: Rejecting the user
>
> That would seem to be clear.
>
>
> > This is what I have in my radiusd.conf
> >
> > authorize {
> > exec
> > }
> >
> > authentication {
> > Auth-Type Exec {
> > exec
> > }
>
> You have put significant effort into butchering the default
> configuration. Why?
>
>
> > I would think this should let all users pass through but it doesnt
> > seem to be doing that. What am I missing here?
>
> Why would this let all users through? The debug output is clear: you
> didn't set Auth-Type. So authentication fails.
>
> The default configuration Just Does the Right Thing. If you're going
> to drastically edit the configuration, then you need to understand how
> the server works. In this case, fix the problem printed out by the
> debug log: set Auth-Type. If you think this isn't necessary, then you
> need to spend more time understanding how the server works.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec use
T Kid82 wrote:
> I have been trying to get RADIUS to run a perl script which would
> authenticate users (and yes I have tried rlm_perl but I decided
> against it).
Why? It is *much* more efficient than exec'ing a program.
...
> Exec-Program output:
> Exec-Program: returned: 3
> ++[exec] returns ok
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
That would seem to be clear.
> This is what I have in my radiusd.conf
>
> authorize {
> exec
> }
>
> authentication {
> Auth-Type Exec {
> exec
> }
You have put significant effort into butchering the default
configuration. Why?
> I would think this should let all users pass through but it doesnt
> seem to be doing that. What am I missing here?
Why would this let all users through? The debug output is clear: you
didn't set Auth-Type. So authentication fails.
The default configuration Just Does the Right Thing. If you're going
to drastically edit the configuration, then you need to understand how
the server works. In this case, fix the problem printed out by the
debug log: set Auth-Type. If you think this isn't necessary, then you
need to spend more time understanding how the server works.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec and authentication
Oguzhan Kayhan wrote: > Thanks for ur reply but i am pretty new about freeradius. So... > Where is that scripts folder..Or do i have to make settings under > radiusd.conf > file? The file is in the distribution "tar" file. It contains comments explainint how to use it. > An example config file will help me a lot for sure.. > Or a documentation about it with examples. The file has documentation. The server comes with documentation for the "exec" module, which is another method of achieving the same goal. Do you have a *specific* question about the documentation? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec and authentication
On Monday 03 December 2007 12:56:07 Alan DeKok wrote: > Oguzhan Kayhan wrote: > > I wanna write an authentication script which will control the > > username&password pair from an IMAP server. Acutally the script is about > > ready but, i couldt find a way to execute from radius. > > scripts/exec-program-wait > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html Hi Alan, Thanks for ur reply but i am pretty new about freeradius. So... Where is that scripts folder..Or do i have to make settings under radiusd.conf file? An example config file will help me a lot for sure.. Or a documentation about it with examples. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec and authentication
Oguzhan Kayhan wrote: > I wanna write an authentication script which will control the > username&password pair from an IMAP server. Acutally the script is about > ready but, i couldt find a way to execute from radius. scripts/exec-program-wait Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec documentation
Patric wrote: Hi guys, Im busy trying to figure out how to implement rlm_exec, and am really battling to find documentation to this end. Can anybody point me in the right direction, I dont mind doing the legwork myself, but Im getting nowhere fast... I am using freeradius 1.1.3 Thanks a stack! Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html As per Murphy I found what I was looking for just after sending this off... Still a bit sketchy on the details but will read up a bit more before posting agaian. Thanks! Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec
Leandro Pereira de Lima e Silva - ViaLink <[EMAIL PROTECTED]> wrote: > sorry, but I couldn't find specific information about rlm_exec module in > the documentation. radiusd.conf comes with voluminous comments saying what it does, and how to use it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec
Alan, sorry, but I couldn't find specific information about rlm_exec module in the documentation. If someone said that it could be used that way, my next question would be where can I find good documentation explaining how to work with this module. My intention really wasn't upset you. Leandro. Alan DeKok escreveu: Leandro Pereira de Lima e Silva - ViaLink <[EMAIL PROTECTED]> wrote: Can I use it to delegate authentication and/or accounting to some other script outside freeradius? Can you read the documentation describing the module? I don't understand why the existing documentation isn't good enough. It answers your questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Leandro Pereira de Lima e Silva http://www.vialink.com.br/ "A verdadeira medida do caráter de um homem é o que ele faria se soubesse que nunca seria descoberto." -- Thomas B. Macaulay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec
Leandro Pereira de Lima e Silva - ViaLink <[EMAIL PROTECTED]> wrote: > Can I use it to delegate authentication and/or accounting to some other > script outside freeradius? Can you read the documentation describing the module? I don't understand why the existing documentation isn't good enough. It answers your questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec
Can I use it to delegate authentication and/or accounting to some other script outside freeradius? Thanks, Leandro. Stefan Winter escreveu: Hi, does anyone knows what rlm_exec module does? it executes commands. You can feed it with AVPs via environment variables so that it does whatever magic you want it to. Greetings, Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Leandro Pereira de Lima e Silva http://www.vialink.com.br/ "A verdadeira medida do caráter de um homem é o que ele faria se soubesse que nunca seria descoberto." -- Thomas B. Macaulay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec
Hi, > does anyone knows what rlm_exec module does? it executes commands. You can feed it with AVPs via environment variables so that it does whatever magic you want it to. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgptH8a2pqdbL.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec does not change already existing attributes
Dmitry Lyubimkov wrote:
In the rlm_exec module for change of attributes according to result of
script it is used
if (output_pairs) pairmove(output_pairs, &answer);
in function
static int exec_dispatch(void *instance, REQUEST *request)
But function pairmove in valuepair.c does only the following
/*
* Move attributes from one list to the other
* if not already present.
*/
void pairmove(VALUE_PAIR **to, VALUE_PAIR **from)
I.e. if such attribute does not exist that it will be added, and if
already exists, will take place nothing.
As result using an external script we can only add new attributes, but
we can not change existing attributes!
How to change User-Name in Radius request?
Is it possible to change existing attributes in the simple way without
change of the module rlm_exec code?
Dmitry
if you keep reading in that function you will find that certain
operators produce different behavior.
Furthermore, if you look at the server's version of valuepair.c (not
lib/valuepair.c but main/valuepair.c ) you might decide to patch your
version of rlm_exec to use pairxlatmove() instead.
My local radiusd runs with this patches which further extends/corrects
pairxlatmove()
#! /bin/sh /usr/share/dpatch/dpatch-run
## 030-substar_regex.patch.dpatch by <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad freeradius-1.1.0~/man/man5/users.5 freeradius-1.1.0/man/man5/users.5
--- freeradius-1.1.0~/man/man5/users.5 2005-10-21 16:07:29.0 -0400
+++ freeradius-1.1.0/man/man5/users.5 2005-10-21 16:07:30.0 -0400
@@ -95,6 +95,25 @@
As a reply item, it has an identical meaning, but the attribute is
added to the reply items.
+
+.TP 0.5i
+.B "Attribute -= Value"
+As a reply item it means remove matching items from the reply list.
+.br
+Not allowed as a check item.
+
+.TP 0.5i
+.B "Attribute -* Value"
+As a reply item it means remove all "Attribute" attributes items from the
reply list.
+.br
+Not allowed as a check item.
+
+.TP 0.5i
+.B "Attribute -~ Value"
+As a reply item it means remove regex matching items from the reply list.
+.br
+Not allowed as a check item.
+
.TP 0.5i
.B "Attribute != Value"
As a check item, matches if the given attribute is in the request, AND
diff -urNad freeradius-1.1.0~/src/include/token.h
freeradius-1.1.0/src/include/token.h
--- freeradius-1.1.0~/src/include/token.h 2005-10-21 16:07:29.0
-0400
+++ freeradius-1.1.0/src/include/token.h2005-10-21 16:07:30.0
-0400
@@ -35,6 +35,8 @@
T_OP_ADD,/* += */
T_OP_SUB,/* -= */
+ T_OP_SUB_ALL,/* -* */
+ T_OP_SUB_REG,/* -~ */
T_OP_SET,/* := */
T_OP_EQ, /* = */
T_OP_NE, /* != */
diff -urNad freeradius-1.1.0~/src/lib/print.c freeradius-1.1.0/src/lib/print.c
--- freeradius-1.1.0~/src/lib/print.c 2005-10-21 16:07:29.0 -0400
+++ freeradius-1.1.0/src/lib/print.c2005-10-21 16:07:30.0 -0400
@@ -243,6 +243,8 @@
";",
"+=",
"-=",
+ "-*",
+ "-~",
":=",
"=",
"!=",
diff -urNad freeradius-1.1.0~/src/lib/token.c freeradius-1.1.0/src/lib/token.c
--- freeradius-1.1.0~/src/lib/token.c 2005-10-21 16:07:29.0 -0400
+++ freeradius-1.1.0/src/lib/token.c2005-10-21 16:07:30.0 -0400
@@ -39,6 +39,8 @@
{ ",", T_COMMA,},
{ "+=", T_OP_ADD, },
{ "-=", T_OP_SUB, },
+ { "-*", T_OP_SUB_ALL, },
+ { "-~", T_OP_SUB_REG, },
{ ":=", T_OP_SET, },
{ "=*", T_OP_CMP_TRUE, },
{ "!*", T_OP_CMP_FALSE, },
diff -urNad freeradius-1.1.0~/src/main/valuepair.c
freeradius-1.1.0/src/main/valuepair.c
--- freeradius-1.1.0~/src/main/valuepair.c 2005-10-21 16:07:29.0
-0400
+++ freeradius-1.1.0/src/main/valuepair.c 2005-10-21 16:10:00.0
-0400
@@ -487,7 +487,128 @@
return compare_pair( req, first, second, NULL, NULL );
}
+/*
+ * Compare ONE attribute from a (potential) list.
+ * Return the first matching one.
+ */
+
+static VALUE_PAIR * paircmpmatchone(REQUEST *req, VALUE_PAIR *first,
VALUE_PAIR *second)
+{
+ VALUE_PAIR *fnext = NULL;
+ VALUE_PAIR *snext = NULL;
+ int result = 0;
+
+ for(; second; second = second->next){
+ for(; first; first = first->next){
+ if(first->attribute == second->attribute){
+ /* No matter what, compare only THESE items in
chain */
+ fnext = first->next;
+ first->next = NULL;
+ snext = second->next;
+ second->next = NULL;
+ result = simplepaircmp(req, first, second);
+
Re: rlm_exec question
Hello Victor,
as i understand you want to rewrite the Acct-Session-Id from "123456/*" to
"123456" but the part behind the slash is variable and rlm_attr_rewrite
cant to regular expression as far as i know.
I dont know which module can rewrite accounting packets too besides
rlm_attr_rewrite.
Would be very interesting to know how this could be accomplished.
Maybe anyone from the list does have an answer...
regards,
christian
--On Tuesday, October 11, 2005 15:43:46 +0400 "Vicor M. Polukcht"
<[EMAIL PROTECTED]> wrote:
Hi all. I have a hardware that sends me accounting using radius protocol
i have two records:
(Acct-Session-Id, Start Record)
14346//[EMAIL PROTECTED]/40AB4B43 ADA86932 80450002
401E622/originate/VoIP62.152.64.32
(Acct-Session-Id, Stop Record)
14346///40AB4B43 ADA86932 80450002 A401E622/answer/VoIP/13:08:48.000
GMT Tue Oct 11 2005/13:09:03.000 GMT Tue Oct 11 2005/16/62.152.64.203
You see that the only common part of records is first 5 digits at the
beginning.
I need to change these attribute to 14346 before it is uploaded to the
database. I have a script that cuts digits:
# !/bin/bash
echo $1 | awk -F / {'print "Acct-Session-Id = " $1'}
exit 0
But i don't know what to write in radiusd.conf
Now i did:
radiusd.conf
...
exec {
wait = yes
program = "/opt/gk/radius/bin/acct_parse %{Acct-Session-Id}"
input_pairs = request
output_pairs = request
packet_type = Accounting-Request
}
accounting {
exec
.
}
But it doesn't work
In debug mode i see:
radius_xlat: '/opt/gk/radius/bin/acct_parse 14405///22CE4B43 EF5D8704
806B0002 A401E622/answer/VoIP/15:37:36.000 GMT Tue Oct 11
2005/15:37:50.000 GMT Tue Oct 11 2005/16/62.152.64.203'
Exec-Program: /opt/gk/radius/bin/acct_parse 14405///22CE4B43 EF5D8704
806B0002 A401E622/answer/VoIP/15:37:36.000 GMT Tue Oct 11
2005/15:37:50.000 GMT Tue Oct 11 2005/16/62.152.64.203
Exec-Program output: Acct-Session-Id = 14405
Exec-Program-Wait: value-pairs: Acct-Session-Id = 14405
Exec-Program: returned: 0
modcall[accounting]: module "exec" returns ok for request 1
What am i doing wrong and what should i do?
PS: Sorry for terrible english
--
Victor M. Polukcht
mailto:[EMAIL PROTECTED]
callto://vpolukcht/
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec and retriving RAD_REQUEST attribute values
Matt morris wrote: > Hello list, > > This has probably been asked a lot times before, but I just couldn't > get the attributes values from accounting request packets with my > perl script. I am trying to do some database queries when I received > stop accounting request packets, here are the relevant sections of my > radiusd.conf and script file: You're mixing up 2 modules: rlm_exec and rlm_perl You configured your radius to use rlm_exec, but you're using a sample script for rlm_perl, which is completely different! There's a sample for rlm_exec at http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/scripts/exec-program-wa it?rev=1.4&content-type=text/x-cvsweb-markup -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec
Doug Hardie <[EMAIL PROTECTED]> wrote: > Are there any performance differences to having 2 rlm's vs one? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec
I have 2 exec-prog-wait modules that I am converting to rlms. The process fork time is very significant for both because of the various startup things that have to be done. By making them rlm's that is done infrequently. One of them is for authorization and the other for accounting. i have already created the accounting rlm and it seems to work fine. The question I have is should I add the authorization code to that rlm or create a separate rlm? There is virtually no commonality between them. Both are fairly complex so intermingling them in the same source file will make it fairly difficult to read/maintain. Are there any performance differences to having 2 rlm's vs one? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec: Wait=yes but no output defined
On Thu, Mar 31, 2005 at 11:33:00AM -0800, Rick Kunkel wrote: > Heya all, > I'm getting this warning when running. The longer version, in debuggin > mode, is this: > Module: Loaded exec > exec: wait = yes > exec: program = "(null)" > exec: input_pairs = "request" > exec: output_pairs = "(null)" > exec: packet_type = "(null)" > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > This doesn't seem to be a section I'm using. Should I just comment it > out? Or maybe put "output = none" after "input_pairs = request"? It > seems a harmless error, but I figured I'd clean it up anyhow. That's a known bug (and harmless, as you say) in 1.0.2. The error message _should_ say "output_pairs=none" but if you put that, it will refuse to start because output_pairs is defined and wait=no are incompatible. FreeRADIUS 1.1's default for output_pairs is "none", so for wait=no you can leave it blank. (A null-program'd exec is a different case) Or at least I think it is... Gotta check that. > Is this the default setting? And if so, why not simply comment it out or > put that "output = none" in by default too? -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec fail V reject
Paul Hampson wrote: On Thu, Nov 18, 2004 at 05:14:47PM -0800, Jev wrote: Ok, great Paul, thank you! Is it this patch: http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00132.html that you plan to apply? Is the patch in that post the most recent? I ask because I may attempt to apply and build it my self, so I can proceed with some testing that I need this feature for... That patch, with the changes described here: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg10746.html except the line number in rlm_exec is wrong... Oh heck, here's the patch as it sits in my source tree. ^_^ Thanks again Paul, I hope to have time to try it over the weekend myself. If I succeed I'll let you know... Regards, -Jev [snip] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec fail V reject
On Thu, Nov 18, 2004 at 05:14:47PM -0800, Jev wrote:
> Ok, great Paul, thank you!
>
> Is it this patch:
> http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00132.html
>
> that you plan to apply? Is the patch in that post the most recent? I ask
> because I may attempt to apply and build it my self, so I can proceed
> with some testing that I need this feature for...
That patch, with the changes described here:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg10746.html
except the line number in rlm_exec is wrong...
Oh heck, here's the patch as it sits in my source tree. ^_^
(No documentation changes yet though. That'll come, but the
changes are pretty much fully descriped in the above threads.
Index: src/main/exec.c
===
RCS file: /source/radiusd/src/main/exec.c,v
retrieving revision 1.44
diff -u -r1.44 exec.c
--- src/main/exec.c 12 Oct 2004 17:46:39 - 1.44
+++ src/main/exec.c 19 Nov 2004 02:40:46 -
@@ -562,5 +562,5 @@
radlog(L_ERR|L_CONS, "Exec-Program: Abnormal child exit: %s",
strerror(errno));
- return 1;
+ return 2;
}
Index: src/modules/rlm_exec/rlm_exec.c
===
RCS file: /source/radiusd/src/modules/rlm_exec/rlm_exec.c,v
retrieving revision 1.11
diff -u -r1.11 rlm_exec.c
--- src/modules/rlm_exec/rlm_exec.c 26 Feb 2004 19:04:32 - 1.11
+++ src/modules/rlm_exec/rlm_exec.c 19 Nov 2004 02:40:47 -
@@ -332,7 +332,7 @@
result = radius_exec_program(inst->program, request,
inst->wait, NULL, 0,
*input_pairs, &answer);
- if (result != 0) {
+ if (result < 0) {
radlog(L_ERR, "rlm_exec (%s): External script failed",
inst->xlat_name);
return RLM_MODULE_FAIL;
@@ -347,7 +347,13 @@
pairfree(&answer);
- return RLM_MODULE_OK;
+ if (result == 0) {
+ return RLM_MODULE_OK;
+ }
+ if (result > RLM_MODULE_NUMCODES) {
+ return RLM_MODULE_FAIL;
+ }
+ return result-1;
}
--
Paul "TBBle" Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec fail V reject
Ok, great Paul, thank you! Is it this patch: http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00132.html that you plan to apply? Is the patch in that post the most recent? I ask because I may attempt to apply and build it my self, so I can proceed with some testing that I need this feature for... Thanks! -Jev Paul Hampson wrote: On Thu, Nov 18, 2004 at 02:52:35PM -0800, Jev wrote: I'm calling a external script via the rlm_exec module, when I return a non 0 (ie -1) value from my script I need radius to send a access-reject response the the client. I came across this thread: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg10671.html Was a patch ever committed for this, or is there another solution that can satisfy my requirement? I'm running 1.0.0 right now. I intend to test and commit that patch this weekend, but it'll be to CVS HEAD, so you'll have to build your own FreeRADIUS until 1.1.0 is released. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec vs Exec-Program-Wait attribute
On Sat, Sep 04, 2004 at 07:56:29PM +0200, Thor Spruyt wrote: > Paul Hampson wrote: > > New behaviour: (Replaces behaviour identical to <0 above) > > If the program returns 1 through RLM_MODULE_NUMCODES, return the > > appropriate code and attributes as expected. > > 1RLM_MODULE_REJECT, /* immediately reject the request */ > > 2RLM_MODULE_FAIL,/* module failed, don't reply */ > > 3RLM_MODULE_OK, /* the module is OK, continue */ > > 4RLM_MODULE_HANDLED, /* the module handled the request, so stop. > > */ 5RLM_MODULE_INVALID, /* the module considers the request > > invalid. */ 6RLM_MODULE_USERLOCK,/* reject the request (user > > is locked out) */ 7RLM_MODULE_NOTFOUND,/* user not found */ > > 8RLM_MODULE_NOOP,/* module succeeded without doing anything */ > > 9RLM_MODULE_UPDATED, /* OK (pairs modified) */ > > Looks ok. > > > If it returns > RLM_MODULE_NUMCODES, return RLM_MODULE_OK. (as for 0) > > Maybe it's better to return RLM_MODULE_FAIL in this case. > > > This then leads the question, what return code do we want for when the > > child process terminates abnormally? (!WIFEXITED or rad_waitpid > > returns something other than the child's pid)... If we leave it as it > > is, it's RLM_MODULE_REJECT with the below patch... Would > > RLM_MODULE_FAIL be better? (Changes return 1 at src/main/exec.c:390 > > to return 2... This > > I guess RLM_MODULE_FAIL would be better here. > > -- > Regards, > > Thor Spruyt I also agree with Thor's input. -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec vs Exec-Program-Wait attribute
On Sat, Sep 04, 2004 at 07:56:29PM +0200, Thor Spruyt wrote:
> Paul Hampson wrote:
> > New behaviour: (Replaces behaviour identical to <0 above)
> > If the program returns 1 through RLM_MODULE_NUMCODES, return the
> > appropriate code and attributes as expected.
[trim]
> > If it returns > RLM_MODULE_NUMCODES, return RLM_MODULE_OK. (as for 0)
> Maybe it's better to return RLM_MODULE_FAIL in this case.
Yes, quite probably. I only noticed afterwards (when checking the
usage of the return value for the last paragraph) that normally >0
is RLM_MODULE_FAIL too.
This seems wrong to me, in so far as I expect <0 to be failure, and
>0 success, but for historical reasons you're right.
> > This should work for everyone using 0 = success and -1 = failure, but
> > I'll prolly catch people who're using >0 for failure, which is
> > possible but (slightly) deranged. ^_^;
> I guess they can easily change their programs if this is the case.
> Otherwise a configuration option which activates this new behaviour might
> solve this:
> rlm_module_returncodes = yes
> If this configuration item is "yes", then use the new return code
> interpretation (maybe without the -1):
> If this configuration item is absent or anything else than "yes", then use
> the old return code interpretation (0=ok, !0=fail)
I'm hoping to avoid another configuration option. The idea is to make
it a slightly painful but important migration... The _goal_ is to get
rlm_exec to be a fully-useful replacement for Exec-Program{,-Wait} so
we can get rid of the latter, which has (as I understand) problems we
don't want to (or can't reasonably) fix.
> > This then leads the question, what return code do we want for when the
> > child process terminates abnormally? (!WIFEXITED or rad_waitpid
> > returns something other than the child's pid)... If we leave it as it
> > is, it's RLM_MODULE_REJECT with the below patch... Would
> > RLM_MODULE_FAIL be better? (Changes return 1 at src/main/exec.c:390
> > to return 2... This
> I guess RLM_MODULE_FAIL would be better here.
OK.
--
Paul "TBBle" Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec vs Exec-Program-Wait attribute
Paul Hampson wrote: > New behaviour: (Replaces behaviour identical to <0 above) > If the program returns 1 through RLM_MODULE_NUMCODES, return the > appropriate code and attributes as expected. > 1RLM_MODULE_REJECT, /* immediately reject the request */ > 2RLM_MODULE_FAIL,/* module failed, don't reply */ > 3RLM_MODULE_OK, /* the module is OK, continue */ > 4RLM_MODULE_HANDLED, /* the module handled the request, so stop. > */ 5RLM_MODULE_INVALID, /* the module considers the request > invalid. */ 6RLM_MODULE_USERLOCK,/* reject the request (user > is locked out) */ 7RLM_MODULE_NOTFOUND,/* user not found */ > 8RLM_MODULE_NOOP,/* module succeeded without doing anything */ > 9RLM_MODULE_UPDATED, /* OK (pairs modified) */ Looks ok. > If it returns > RLM_MODULE_NUMCODES, return RLM_MODULE_OK. (as for 0) Maybe it's better to return RLM_MODULE_FAIL in this case. > This should work for everyone using 0 = success and -1 = failure, but > I'll prolly catch people who're using >0 for failure, which is > possible but (slightly) deranged. ^_^; I guess they can easily change their programs if this is the case. Otherwise a configuration option which activates this new behaviour might solve this: rlm_module_returncodes = yes If this configuration item is "yes", then use the new return code interpretation (maybe without the -1): If this configuration item is absent or anything else than "yes", then use the old return code interpretation (0=ok, !0=fail) > Patch for discussion. I decided to try this route when I couldn't > think what to use for a module call that failed but returned > attributes. > > This then leads the question, what return code do we want for when the > child process terminates abnormally? (!WIFEXITED or rad_waitpid > returns something other than the child's pid)... If we leave it as it > is, it's RLM_MODULE_REJECT with the below patch... Would > RLM_MODULE_FAIL be better? (Changes return 1 at src/main/exec.c:390 > to return 2... This I guess RLM_MODULE_FAIL would be better here. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec vs Exec-Program-Wait attribute
On Fri, Sep 03, 2004 at 01:33:15PM -0400, Alan DeKok wrote:
> "Thor Spruyt" <[EMAIL PROTECTED]> wrote:
> > I hope the rlm_exec module is going to be changed to enable outputting
> > Reject attributes! If you have to run 2 scripts each time, what's the whole
> > point of making the module?
> The module can be updated, once patches are supplied.
Hmm. How about this, everyone?
Current behaviour retained:
If the program returns <0, no attributes, RLM_MODULE_FAIL, errorlog
If the program returns 0, attributes, RLM_MODULE_OK
New behaviour: (Replaces behaviour identical to <0 above)
If the program returns 1 through RLM_MODULE_NUMCODES, return the
appropriate code and attributes as expected.
1RLM_MODULE_REJECT, /* immediately reject the request */
2RLM_MODULE_FAIL,/* module failed, don't reply */
3RLM_MODULE_OK, /* the module is OK, continue */
4RLM_MODULE_HANDLED, /* the module handled the request, so stop. */
5RLM_MODULE_INVALID, /* the module considers the request invalid. */
6RLM_MODULE_USERLOCK,/* reject the request (user is locked out) */
7RLM_MODULE_NOTFOUND,/* user not found */
8RLM_MODULE_NOOP,/* module succeeded without doing anything */
9RLM_MODULE_UPDATED, /* OK (pairs modified) */
If it returns > RLM_MODULE_NUMCODES, return RLM_MODULE_OK. (as for 0)
This should work for everyone using 0 = success and -1 = failure, but
I'll prolly catch people who're using >0 for failure, which is possible
but (slightly) deranged. ^_^;
Hopefully this allows everyone to do what they need to do, and we can
finally deprecate Exec-Program-Wait and Exec-Program. ^_^
Patch for discussion. I decided to try this route when I couldn't
think what to use for a module call that failed but returned attributes.
This then leads the question, what return code do we want for when the
child process terminates abnormally? (!WIFEXITED or rad_waitpid returns
something other than the child's pid)... If we leave it as it is, it's
RLM_MODULE_REJECT with the below patch... Would RLM_MODULE_FAIL be
better? (Changes return 1 at src/main/exec.c:390 to return 2... This
is fine since every caller or radius_exec_program only checks for !=0,
except the rlm_exec xlat call which checks <0.
Index: rlm_exec.c
===
RCS file: /source/radiusd/src/modules/rlm_exec/rlm_exec.c,v
retrieving revision 1.11
diff -u -r1.11 rlm_exec.c
--- rlm_exec.c 26 Feb 2004 19:04:32 - 1.11
+++ rlm_exec.c 4 Sep 2004 07:41:02 -
@@ -332,7 +332,7 @@
result = radius_exec_program(inst->program, request,
inst->wait, NULL, 0,
*input_pairs, &answer);
- if (result != 0) {
+ if (result < 0) {
radlog(L_ERR, "rlm_exec (%s): External script failed",
inst->xlat_name);
return RLM_MODULE_FAIL;
@@ -347,7 +347,10 @@
pairfree(&answer);
- return RLM_MODULE_OK;
+ if (result == 0 || result > RLM_MODULE_NUMCODES) {
+ return RLM_MODULE_OK;
+ }
+ return result-1;
}
--
Paul "TBBle" Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec vs Exec-Program-Wait attribute
"Thor Spruyt" <[EMAIL PROTECTED]> wrote: > I hope the rlm_exec module is going to be changed to enable outputting > Reject attributes! If you have to run 2 scripts each time, what's the whole > point of making the module? The module can be updated, once patches are supplied. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec vs Exec-Program-Wait attribute
On Thu, Sep 02, 2004 at 02:52:13PM -0400, Alan DeKok wrote:
Dear Alan,
though this setup you propose will work, I agree with Thor's oppinion
on the matter. I believe that it would be a good idea to allow
rlm_exec module return reject messages with attributes in them as
Exec-Program-Wait does. In this case, we can have the good things of
Exec-Program-Wait, plus the extras of rlm_exec.
For now, I think
that for my needs I will use Exec-Program-Wait as I find it a more
elegant setup (of course I do not expect it to go away in a future
version right?).
Please let us know your thoughts on the matter.
Thanks
Kostas
> Kostas Zorbadelos <[EMAIL PROTECTED]> wrote:
> >Autz-Type CLID{
> > callerid {
> > fail=reject
> > }
> > }
> >
> > In this case when the external script returns a non zero exit code or
> > fails I get an Access-Reject. However I cannot put any attributes
> > inside this reject packet.
>
> So do the following:
>
>Autz-Type CLID {
> callerid {
>ok = return
>notfound = return
>... = return
>fail = 1
> }
> another_files
>}
>
>
> Make the "another_files" module a copy of "rlm_files", and point it
> to different "users" files. It will then be run ONLY when the
> external scrip returns "fail", and you can add replay attributes to
> the reject packet there.
>
> Alan DeKok.
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Zorbadelos
Systems Developer, Otenet SA
mailto: [EMAIL PROTECTED]
Out there in the darkness, out there in the night
out there in the starlight, one soul burns brighter
than a thousand suns.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec vs Exec-Program-Wait attribute
Alan DeKok wrote: > Make the "another_files" module a copy of "rlm_files", and point it > to different "users" files. It will then be run ONLY when the > external scrip returns "fail", and you can add replay attributes to > the reject packet there. I hope the rlm_exec module is going to be changed to enable outputting Reject attributes! If you have to run 2 scripts each time, what's the whole point of making the module? As I already pointed out, the Exec-Program-Wait feature has several advantages over rlm_exec and is widely used with success (just the one small thing that I posted as a bug #122). If the behaviour of the rlm_exec module is so restrictive, then I doubt many people will switch to it. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec vs Exec-Program-Wait attribute
Kostas Zorbadelos <[EMAIL PROTECTED]> wrote:
>Autz-Type CLID{
> callerid {
>fail=reject
> }
> }
>
> In this case when the external script returns a non zero exit code or
> fails I get an Access-Reject. However I cannot put any attributes
> inside this reject packet.
So do the following:
Autz-Type CLID {
callerid {
ok = return
notfound = return
... = return
fail = 1
}
another_files
}
Make the "another_files" module a copy of "rlm_files", and point it
to different "users" files. It will then be run ONLY when the
external scrip returns "fail", and you can add replay attributes to
the reject packet there.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec vs Exec-Program-Wait attribute
I think this issue has come up on this list before.
Someone posted this solution. I am pasting it down
here. You can search the list for more information
about it too.
Here we go
Alejandro Galue wrote:
> To reject users:
>
> Reply-Message := 'You can not login now'
> And the exit code is 1
>
> PROBLEM:
>
> BUT, Reply-Message on Access-Reject is not modified.
> The Reject Message does not contain any attributes.
According to me it's a bug and I have been submitted
patches several
times.
I think it's not being accepted because I don't know
how to send text
mail
with real tabs :(
Here's my patch that solves this for 1.0.0:
--- src/main/auth.c.orig 2004-08-10 23:13:25.0
+
+++ src/main/auth.c 2004-08-10 23:14:18.0
+
@@ -886,18 +886,15 @@
* fork/exec errors, or >0 if the exec'ed program
* had a non-zero exit status.
*/
- if (umsg[0] == '\0') {
-user_msg = "\r\nAccess denied (external check
failed).";
- } else {
-user_msg = &umsg[0];
+ if (r < 0) {
+user_msg = "Access denied (external check
failed)";
+tmp = pairmake("Reply-Message", user_msg,
T_OP_SET);
+pairadd(&request->reply->vps, tmp);
}
request->reply->code = PW_AUTHENTICATION_REJECT;
- tmp = pairmake("Reply-Message", user_msg,
T_OP_SET);
-
- pairadd(&request->reply->vps, tmp);
rad_authlog("Login incorrect (external check
failed)",
- request, 0);
+ request, 1);
return RLM_MODULE_REJECT;
}
--
Regards,
Thor Spruyt
E: [EMAIL PROTECTED]
W: www.thor-spruyt.com
M: +32 (0)475 67 22 65
Thanks and I hope that helps.
--- Kostas Zorbadelos <[EMAIL PROTECTED]> wrote:
> In a previous thread I described my scenario:
>
> >My scenario is simple. When I receive an
> authentication request for a
> >user, I want to run an external program and if
> everything goes OK,
> >return access-accept with some attributes,
> otherwise I want to return
> >access-reject with other attributes.
>
> This scenario is accomplished easily using the
> Exec-Program-Wait
> attribute in users file.
>
> When I try to accomplish the same thing with
> rlm_exec, as Doug Hardie
> and Alan suggested, I use configurable failover:
>
> radiusd.conf:
>
> exec callerid {
> wait=yes
> program=/space/radius/callerid.sh
> input_pairs = request
> output_pairs = reply
> packet_type = Access-Request
> }
>
> in users I have
>
> CLIDACTIVATEAuth-Type := Local,
> User-Password=="AAA", Autz-Type := CLID
>
> and in the authorize section of radiusd.conf
>
>Autz-Type CLID{
> callerid {
>fail=reject
> }
> }
>
> In this case when the external script returns a non
> zero exit code or
> fails I get an Access-Reject. However I cannot put
> any attributes
> inside this reject packet. If my script outputs
> pairs and exits with a
> non zero status, the pairs are not kept in the
> reject packet sent back
> to the client. So my questions are:
>
> - is it possible to have attributes in reject
> packets in rlm_exec
> setups (something I can do with
> Exec-Program-Wait)?
> - is Exec-Program-Wait deprecated and probably
> removed in future
> versions? If so, how can I accomplish my scenario?
>
> I need to make a decision for an imminent project.
>
> Thanks in advance
>
> Kostas
>
> --
> Kostas Zorbadelos
> Systems Developer, Otenet SA
> mailto: [EMAIL PROTECTED]
>
> Out there in the darkness, out there in the night
> out there in the starlight, one soul burns
> brighter
> than a thousand suns.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec questions
On Aug 27, 2004, at 09:05, Kostas Zorbadelos wrote:
The module returns fail but no access-reject is sent back and radtest
keeps retransmitting.
What am I missing?
Alan responded to me on a similar issue some time ago with the response
to use configurable failover. There is a very good document on that in
the docs directory. I came up with the following approach based on
that. However, it has never been tested and no one responded to my
posting of it. I didn't want to do any more disruptive testing on a
production machine so I reverted to an Exec-Program-Wait module which
does it all very simply.
modules {
...
exec l_auth {
wait = yes
program = "/etc/raddb/local %{HINT} R"
input_pairs = request
output_pairs = reply
}
always reject {
rcode = reject
}
...
}
post-auth {
redundant {
l_auth {
fail = 1
}
reject
}
}
It also seems like I might be able to use the following in post-auth:
post-auth {
l_auth {
fail = reject
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_exec and Access-Reject. Need Help Please
Hello,
Thanks, for your response. Do you have a patch for freeradius 0.9.3,
Regards,
Alejandro.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thor
Spruyt
Sent: Friday, August 20, 2004 12:54 PM
To: [EMAIL PROTECTED]
Subject: Re: rlm_exec and Access-Reject. Need Help Please
Alejandro Galue wrote:
> To reject users:
>
> Reply-Message := 'You can not login now'
> And the exit code is 1
>
> PROBLEM:
>
> BUT, Reply-Message on Access-Reject is not modified.
> The Reject Message does not contain any attributes.
According to me it's a bug and I have been submitted patches several times.
I think it's not being accepted because I don't know how to send text mail
with real tabs :( Here's my patch that solves this for 1.0.0:
--- src/main/auth.c.orig 2004-08-10 23:13:25.0 +
+++ src/main/auth.c 2004-08-10 23:14:18.0 +
@@ -886,18 +886,15 @@
* fork/exec errors, or >0 if the exec'ed program
* had a non-zero exit status.
*/
- if (umsg[0] == '\0') {
-user_msg = "\r\nAccess denied (external check failed).";
- } else {
-user_msg = &umsg[0];
+ if (r < 0) {
+user_msg = "Access denied (external check failed)";
+tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
+pairadd(&request->reply->vps, tmp);
}
request->reply->code = PW_AUTHENTICATION_REJECT;
- tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
-
- pairadd(&request->reply->vps, tmp);
rad_authlog("Login incorrect (external check failed)",
- request, 0);
+ request, 1);
return RLM_MODULE_REJECT;
}
--
Regards,
Thor Spruyt
E: [EMAIL PROTECTED]
W: www.thor-spruyt.com
M: +32 (0)475 67 22 65
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec and Access-Reject. Need Help Please
Alejandro Galue wrote:
> To reject users:
>
> Reply-Message := 'You can not login now'
> And the exit code is 1
>
> PROBLEM:
>
> BUT, Reply-Message on Access-Reject is not modified.
> The Reject Message does not contain any attributes.
According to me it's a bug and I have been submitted patches several times.
I think it's not being accepted because I don't know how to send text mail
with real tabs :(
Here's my patch that solves this for 1.0.0:
--- src/main/auth.c.orig 2004-08-10 23:13:25.0 +
+++ src/main/auth.c 2004-08-10 23:14:18.0 +
@@ -886,18 +886,15 @@
* fork/exec errors, or >0 if the exec'ed program
* had a non-zero exit status.
*/
- if (umsg[0] == '\0') {
-user_msg = "\r\nAccess denied (external check failed).";
- } else {
-user_msg = &umsg[0];
+ if (r < 0) {
+user_msg = "Access denied (external check failed)";
+tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
+pairadd(&request->reply->vps, tmp);
}
request->reply->code = PW_AUTHENTICATION_REJECT;
- tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
-
- pairadd(&request->reply->vps, tmp);
rad_authlog("Login incorrect (external check failed)",
- request, 0);
+ request, 1);
return RLM_MODULE_REJECT;
}
--
Regards,
Thor Spruyt
E: [EMAIL PROTECTED]
W: www.thor-spruyt.com
M: +32 (0)475 67 22 65
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec
On Aug 15, 2004, at 19:09, Alan DeKok wrote:
Doug Hardie <[EMAIL PROTECTED]> wrote:
Then how do you replace a depreciated EXEC-PROGRAM-WAIT call with
something that calls an external program that can return pairs
rlm_exec does that.
or cause authentication failure with the regulare authentication
failure logging messages?
rlm_exec returns FAIL when the external script fails. You can
change this to REJECT via source code modifications, or by using
configurable failover in the "authorize" section.
There is some really useful info in doc/configurable_failover. A lot
of that should be in a more obvious place, like README or INTRO etc.
Now I know why putting rlm_exec module in the authenticate section
won't work. I believe the following is what I need to achieve the
above. Is this correct?
modules {
...
exec l_auth {
wait = yes
program = "/etc/raddb/local %{HINT} R"
input_pairs = request
output_pairs = reply
}
always reject {
rcode = reject
}
...
}
post-auth {
redundant {
l_auth {
fail = 1
}
reject
}
}
It also seems like I might be able to use the following in post-auth:
post-auth {
l_auth {
fail = reject
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "rlm_exec" error on Mac OS X
"Mahesh S Kudva" <[EMAIL PROTECTED]> wrote: > Module: Library search path is /usr/local/lib > radiusd.conf[1367] Failed linking to rlm_exec structure in radiusd.conf: dlcompat: > Symbol > "_rlm_exec" not found It looks like rlm_exec isn't on your system. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : "rlm_exec" error on Mac OS X
how did you compile it ? tell us the exact line you used in configure make makefile > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la > part de Mahesh S Kudva > Envoyé : lundi 16 août 2004 15:09 > À : [EMAIL PROTECTED] > Objet : "rlm_exec" error on Mac OS X > > > Hi > > I am trying to frum freeradius1.0.0 on Mac OS X 10.3Server. > Compilation and installation > went fine without errors. > But while running radius server in debugging mode I get the > following error... > > Module: Library search path is /usr/local/lib > radiusd.conf[1367] Failed linking to rlm_exec structure in > radiusd.conf: dlcompat: Symbol > "_rlm_exec" not found > > > Regards & Thanks > > Mahesh S Kudva > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec
Doug Hardie <[EMAIL PROTECTED]> wrote: > Then how do you replace a depreciated EXEC-PROGRAM-WAIT call with > something that calls an external program that can return pairs rlm_exec does that. > or cause authentication failure with the regulare authentication > failure logging messages? rlm_exec returns FAIL when the external script fails. You can change this to REJECT via source code modifications, or by using configurable failover in the "authorize" section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec
On Aug 15, 2004, at 15:43, Alan DeKok wrote: Doug Hardie <[EMAIL PROTECTED]> wrote: I still need some help. I have searched through the archives, google, documentation and source code. I need the program I am calling to be able to return pairs to to the NAS with the authentication request is granted and I need to have it not authenticate in some cases. In the EXEC-PROGRAM-WAIT a non-zero return will cause it not to return a successful authentication. Which is what it's designed to do. Then how do you replace a depreciated EXEC-PROGRAM-WAIT call with something that calls an external program that can return pairs or cause authentication failure with the regulare authentication failure logging messages? All I get is a note in radius.log that the extermal script failed. The normal user logging does not take place. What "normal user logging"? There is no logging of the user id /password for the failed authentication attempt, only a logged message that the exec module failed. The rlm_exec module only seems to treat the return code in that way. What way? Generate a exec module failed message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec
Doug Hardie <[EMAIL PROTECTED]> wrote: > I still need some help. I have searched through the archives, google, > documentation and source code. I need the program I am calling to be > able to return pairs to to the NAS with the authentication request is > granted and I need to have it not authenticate in some cases. In the > EXEC-PROGRAM-WAIT a non-zero return will cause it not to return a > successful authentication. Which is what it's designed to do. > All I get is a note in radius.log that the extermal script failed. > The normal user logging does not take place. What "normal user logging"? > The rlm_exec module only seems to treat the return code in that way. What way? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec
I still need some help. I have searched through the archives, google, documentation and source code. I need the program I am calling to be able to return pairs to to the NAS with the authentication request is granted and I need to have it not authenticate in some cases. In the EXEC-PROGRAM-WAIT a non-zero return will cause it not to return a successful authentication.All I get is a note in radius.log that the extermal script failed. The normal user logging does not take place. The rlm_exec module only seems to treat the return code in that way. Am I stuck using EXEC-PROGRAM-WAIT or is there a way to make rlm_exec do this? On Aug 11, 2004, at 16:01, Doug Hardie wrote: I am attempting to replace a EXEC-PROGRAM-WAIT module in the users file with a exec module. Defining the exec module is straight forward. There are examples in the conf file. However, placing the call to it is not as obvious. First I put it in the authenticate section. That generated a segment violation when trying to load the module. Then I tried placeing it in the authorize section. My program now dumps (although that may be my problem). The question is, where is the right place to put the call? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_exec and perl
On Thu, 22 Jul 2004, Alejandro Galue wrote:
>
> Hello,
>
> Thanks for the information, I understand that I can?t modify accounting
> response packets.
>
> So I can use instead Access-Accept, to send custom information and create a
> daemon on client machine for process that information.
>
> Please help me how can I modify reply attributes under perl ?
Isn't the example.pl script helpful?
http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_perl/example.pl?rev=1.1&content-type=text/x-cvsweb-markup
>
> Thanks,
> Alejandro.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Kostas
> Kalevras
> Sent: Thursday, July 22, 2004 11:02 AM
> To: [EMAIL PROTECTED]
> Subject: Re: rlm_exec and perl
>
> On Thu, 22 Jul 2004, Alejandro Galue wrote:
>
> >
> > Hello,
> >
> > I'm trying to use rlm_exec to run a perl script in order to add
> > certain radius attributes on Accounting-Response under certain conditions.
> >
> > I anyone know how can access input_pairs and how can I set
> > output_pairs in perl, please help me ?
> >
> > I put this on radiusd.conf
> >
> > exec custom {
> > wait = yes
> > program = /usr/local/bin/check-accounting.pl
> > input-pairs = request
> > output-pairs = reply
> > packet-type = Accounting-Request
> > }
> >
> > Thanks in advance...
> >
> > Alejandro Galue.
>
> >From src/main/util.c::rfc_clean:
>
> /*
> * Accounting responses can only contain
> * Proxy-State and VSA's. Note that we do NOT
> * move the Proxy-State attributes over, as the
> * Proxy-State attributes in this packet are NOT
> * the right ones to use. The reply function
> * takes care of copying those attributes from
> * the original request, which ARE the right ones
> * to use.
> */
>
> In general the accounting-response is not required to contain any attributes
> and in the case of radius you can't even add any.
>
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 210 7721861
> 'Go back to the shadow' Gandalf
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_exec and perl
Hello,
Thanks for the information, I understand that I can´t modify accounting
response packets.
So I can use instead Access-Accept, to send custom information and create a
daemon on client machine for process that information.
Please help me how can I modify reply attributes under perl ?
Thanks,
Alejandro.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kostas
Kalevras
Sent: Thursday, July 22, 2004 11:02 AM
To: [EMAIL PROTECTED]
Subject: Re: rlm_exec and perl
On Thu, 22 Jul 2004, Alejandro Galue wrote:
>
> Hello,
>
> I'm trying to use rlm_exec to run a perl script in order to add
> certain radius attributes on Accounting-Response under certain conditions.
>
> I anyone know how can access input_pairs and how can I set
> output_pairs in perl, please help me ?
>
> I put this on radiusd.conf
>
> exec custom {
> wait = yes
> program = /usr/local/bin/check-accounting.pl
> input-pairs = request
> output-pairs = reply
> packet-type = Accounting-Request
> }
>
> Thanks in advance...
>
> Alejandro Galue.
>From src/main/util.c::rfc_clean:
/*
* Accounting responses can only contain
* Proxy-State and VSA's. Note that we do NOT
* move the Proxy-State attributes over, as the
* Proxy-State attributes in this packet are NOT
* the right ones to use. The reply function
* takes care of copying those attributes from
* the original request, which ARE the right ones
* to use.
*/
In general the accounting-response is not required to contain any attributes
and in the case of radius you can't even add any.
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec and perl
On Thu, 22 Jul 2004, Alejandro Galue wrote:
>
> Hello,
>
> I'm trying to use rlm_exec to run a perl script in order to add certain
> radius attributes on Accounting-Response under certain conditions.
>
> I anyone know how can access input_pairs and how can I set output_pairs in
> perl, please help me ?
>
> I put this on radiusd.conf
>
> exec custom {
> wait = yes
> program = /usr/local/bin/check-accounting.pl
> input-pairs = request
> output-pairs = reply
> packet-type = Accounting-Request
> }
>
> Thanks in advance...
>
> Alejandro Galue.
>From src/main/util.c::rfc_clean:
/*
* Accounting responses can only contain
* Proxy-State and VSA's. Note that we do NOT
* move the Proxy-State attributes over, as the
* Proxy-State attributes in this packet are NOT
* the right ones to use. The reply function
* takes care of copying those attributes from
* the original request, which ARE the right ones
* to use.
*/
In general the accounting-response is not required to contain any attributes and
in the case of radius you can't even add any.
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec module phasing out Exec-Program-Wait?
"Nathan Miller" <[EMAIL PROTECTED]> wrote: > Noticed the new rlm_exec functionality after upgrading from 0.8.1 -> 0.9.3. > I currently use Exec-Program-Wait in the users file extensively to do > external authentications. Is rlm_exec eventually going to phase out > Exec-Program-Wait function? Maybe not phase out, but replace. The Exec-Program-Wait attribute is a "magic' attribute, and as such, requires addiitonal code in the server core to manage. That code would be better off in a module. The idea is to move the code from the server core to rlm_exec, but the behaviour and functionality of Exec-Program shouldn't change. > I ask mainly because I have tried doing the same thing with rlm_exec and it > does not seem to get the appropriate data passed to it to do the same > authentication procedures and I end up with lots of auth failures. I don't see why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
