Re: rlm_exec questions

2004-08-27 Thread Doug Hardie 
On Aug 27, 2004, at 09:05, Kostas Zorbadelos wrote:
The module returns fail but no access-reject is sent back and radtest
keeps retransmitting.
What am I missing?
Alan responded to me on a similar issue some time ago with the response 
to use configurable failover.  There is a very good document on that in 
the docs directory.  I came up with the following approach based on 
that.  However, it has never been tested and no one responded to my 
posting of it.  I didn't want to do any more disruptive testing on a 
production machine so I reverted to an Exec-Program-Wait module which 
does it all very simply.

modules {
...
exec l_auth {
wait = yes
program = "/etc/raddb/local %{HINT} R"
input_pairs = request
output_pairs = reply
}
always reject {
  rcode = reject
}
...
}
post-auth {
redundant {
 l_auth {
fail = 1
}
reject
}   
}
It also seems like I might be able to use the following in post-auth:
post-auth {
 l_auth {
fail = reject
}   
}

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_exec questions

2004-08-27 Thread Kostas Zorbadelos 
Hello to everyone.
My scenario is simple. When I receive an authentication request for a
user, I want to run an external program and if everything goes OK,
return access-accept with some attributes, otherwise I want to return
access-reject with other attributes.

I have done the following configuration in radiusd.conf:

exec callerid {
wait=yes
program=/space/radius/callerid.sh
input_pairs = request
output_pairs = reply
packet_type = Access-Request
}

in users I have

CLIDACTIVATEAuth-Type := Local, Autz-Type := CLID

and in the authorize section of radiusd.conf

   Autz-Type CLID{
callerid
}

In case my script terminates normally, I get the attribute value pairs
appended to an access-accept message as I want. However, if I make an
exit 1 at the end of the script, I do not get an access-reject with
the output attribute-value pairs appended. 
I make the test with radtest

 radtest -d . CLIDACTIVATE 1760 localhost 123 testing123

and from radiusd -X I get 

rad_recv: Access-Request packet from host 127.0.0.1:64711, id=42, length=64
User-Name = "CLIDACTIVATE"
User-Password = "1760"
NAS-IP-Address = 255.255.255.255
NAS-Port = 123
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '/' in User-Name = "CLIDACTIVATE", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "realmslash" returns noop for request 2
rlm_realm: No '@' in User-Name = "CLIDACTIVATE", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
users: Matched CLIDACTIVATE at 74
  modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns ok for request 2
  Processing the authorize section of radiusd.conf
modcall: entering group Autz-Type for request 2
radius_xlat:  '/space/radius/callerid.sh'
Exec-Program: /space/radius/callerid.sh
Exec-Program output: h323-return-code = "2" 
Exec-Program-Wait: value-pairs: h323-return-code = "2"
Exec-Program: returned: 1
rlm_exec (callerid): External script failed
  modcall[authorize]: module "callerid" returns fail for request 2
modcall: group Autz-Type returns fail for request 2
Finished request 2
Going to the next request

The module returns fail but no access-reject is sent back and radtest
keeps retransmitting.
What am I missing?

Thanks for any help.

Kostas

-- 
  Kostas Zorbadelos
  Currently at: Otenet IT Department 
  mailto: [EMAIL PROTECTED]
  
  Out there in the darkness, out there in the night
  out there in the starlight, one soul burns brighter
  than a thousand suns.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html