Hi all,
I'm trying to shape ppp+ interfaces after successful
authentication using Exec-Program. radiusd runs as
root,
in mysql radreply table the last row for the user
contains: Exec-Program = '/etc/ppp/shd %f'. Freeradius
version is 1.0.1,MySQL 4.0.21, Slackware 10, pptpd
1.2.1,
Edgars <[EMAIL PROTECTED]> wrote:
> I'm sending 2 attributes Exec-Program-Wait='/usr/local/sbin
> %C{User-Name} %C{Nas-IP-Address}'
What the heck is that %C{..} stuff?
Please read doc/variables.txt for the proper syntax for refering to
attributes.
> So how th
Cheers Jerlique! it works now:)
Edgars
Jerlique Ban wrote:
Hi,
can't figure out how the attributes are sent to my PHP
script,how do hey look in this file. Can someone help on this issue?
I'm sending 2 attributes Exec-Program-Wait='/usr/local/sbin
%C{User-Name} %C{Nas-IP-Address
Hi,
> can't figure out how the attributes are sent to my PHP
> script,how do hey look in this file. Can someone help on this issue?
> I'm sending 2 attributes Exec-Program-Wait='/usr/local/sbin
> %C{User-Name} %C{Nas-IP-Address}'
>
> So how they are called
Hello,
can't figure out how the attributes are sent to my PHP script,how do hey
look in this file. Can someone help on this issue?
I'm sending 2 attributes Exec-Program-Wait='/usr/local/sbin
%C{User-Name} %C{Nas-IP-Address}'
So how they are called now under my PHP file?
Th
thnks Alan! i've already found that i had a space after the attribute
which has been written in the DB.
Edgars
Alan DeKok wrote:
Edgars <[EMAIL PROTECTED]> wrote:
rlm_sql: unknown attribute Exec-Program-Wait
rlm_sql (sql): Error getting data from database
Odds are your SQ
Edgars <[EMAIL PROTECTED]> wrote:
> rlm_sql: unknown attribute Exec-Program-Wait
> rlm_sql (sql): Error getting data from database
Odds are your SQL server is returning the attribute names with
embedded spaces. Delete them, and it will work.
Alan DeKok.
-
List info/subscribe
yesterday it worked ok but today i getting these messages in the logs
and debug window (both for exec-program and also exec-program-wait):
rlm_sql: unknown attribute Exec-Program-Wait
rlm_sql (sql): Error getting data from database
I checked the dicitonary file and and there are both entries
at the next login.
How to workaround this? Should i use rlm_sql instead of exec-program
attribute?
Edgars
So you don't need to store it in radreply table. Your external script
will enrich the attributes returned to the client by adding the
Session-Timeout.
-
List info/subs
i use rlm_sql instead of exec-program
> attribute?
>
> Edgars
>
So you don't need to store it in radreply table. Your external script
will enrich the attributes returned to the client by adding the
Session-Timeout.
--
Kostas Zorbadelos
Systems Developer, Otenet SA
ma
the current authentication try. But the php script is only
adding the timeout but it will be given to user only at the next login.
How to workaround this? Should i use rlm_sql instead of exec-program
attribute?
Edgars
Edgars wrote:
nope, the same.
Edgars
Kostas Zorbadelos wrote:
On Mon, Sep 06
On Sat, Sep 04, 2004 at 07:56:29PM +0200, Thor Spruyt wrote:
> Paul Hampson wrote:
> > New behaviour: (Replaces behaviour identical to <0 above)
> > If the program returns 1 through RLM_MODULE_NUMCODES, return the
> > appropriate code and attributes as expected.
> > 1RLM_MODULE_REJECT, /* imme
On Mon, Sep 06, 2004 at 04:00:43PM +0300, Edgars wrote:
What is the debugging output of radiusd -X?
> nope, the same.
>
> Edgars
>
> Kostas Zorbadelos wrote:
>
> >On Mon, Sep 06, 2004 at 03:12:47PM +0300, Edgars wrote:
> >
> >
> >>with permissions there are no problems, i tried also your chmod
nope, the same.
Edgars
Kostas Zorbadelos wrote:
On Mon, Sep 06, 2004 at 03:12:47PM +0300, Edgars wrote:
with permissions there are no problems, i tried also your chmod options.
The same:/
Maybe something else?
Edgars
Perhaps you should create an executable wrapper shell script
containing
On Mon, Sep 06, 2004 at 03:12:47PM +0300, Edgars wrote:
> with permissions there are no problems, i tried also your chmod options.
> The same:/
> Maybe something else?
>
> Edgars
>
Perhaps you should create an executable wrapper shell script
containing the call to your php script like
StartPhp.
with permissions there are no problems, i tried also your chmod options.
The same:/
Maybe something else?
Edgars
Kostas Zorbadelos wrote:
On Mon, Sep 06, 2004 at 02:27:29PM +0300, Edgars wrote:
Hello,
in some way this attribute does not execute my PHP program. I have data
base insert query in
On Mon, Sep 06, 2004 at 02:27:29PM +0300, Edgars wrote:
> Hello,
>
> in some way this attribute does not execute my PHP program. I have data
> base insert query in this file to test all this. If i execute the *.php
> program from command line, everything is OK - a new field is added in
> the DB
Hello,
in some way this attribute does not execute my PHP program. I have data
base insert query in this file to test all this. If i execute the *.php
program from command line, everything is OK - a new field is added in
the DB. I've put this attribute with path in the radcheck table.
Where co
t;yes", then use the new return code
> interpretation (maybe without the -1):
> If this configuration item is absent or anything else than "yes", then use
> the old return code interpretation (0=ok, !0=fail)
I'm hoping to avoid another configuration option. The i
Paul Hampson wrote:
> New behaviour: (Replaces behaviour identical to <0 above)
> If the program returns 1 through RLM_MODULE_NUMCODES, return the
> appropriate code and attributes as expected.
> 1RLM_MODULE_REJECT, /* immediately reject the request */
> 2RLM_MODULE_FAIL,/* module fail
ple who're using >0 for failure, which is possible
but (slightly) deranged. ^_^;
Hopefully this allows everyone to do what they need to do, and we can
finally deprecate Exec-Program-Wait and Exec-Program. ^_^
Patch for discussion. I decided to try this route when I couldn't
think what t
"Thor Spruyt" <[EMAIL PROTECTED]> wrote:
> I hope the rlm_exec module is going to be changed to enable outputting
> Reject attributes! If you have to run 2 scripts each time, what's the whole
> point of making the module?
The module can be updated, once patches are supplied.
Alan DeKok.
-
L
On Thu, Sep 02, 2004 at 02:52:13PM -0400, Alan DeKok wrote:
Dear Alan,
though this setup you propose will work, I agree with Thor's oppinion
on the matter. I believe that it would be a good idea to allow
rlm_exec module return reject messages with attributes in them as
Exec-Program-Wait doe
et there.
I hope the rlm_exec module is going to be changed to enable outputting
Reject attributes! If you have to run 2 scripts each time, what's the whole
point of making the module?
As I already pointed out, the Exec-Program-Wait feature has several
advantages over rlm_exec and is widely used
Kostas Zorbadelos <[EMAIL PROTECTED]> wrote:
>Autz-Type CLID{
> callerid {
>fail=reject
> }
> }
>
> In this case when the external script returns a non zero exit code or
> fails I get an Access-Reject. However I cannot put any a
> wrote:
> In a previous thread I described my scenario:
>
> >My scenario is simple. When I receive an
> authentication request for a
> >user, I want to run an external program and if
> everything goes OK,
> >return access-accept with some attributes,
> otherwis
r attributes.
This scenario is accomplished easily using the Exec-Program-Wait
attribute in users file.
When I try to accomplish the same thing with rlm_exec, as Doug Hardie
and Alan suggested, I use configurable failover:
radiusd.conf:
exec callerid {
wait=yes
pr
> ++--+---+
>
> | 1 | jlb | dial |
> | 2 | jlb | adsl |
>
> ++--+---+
The sql code only supports one group per user. You can't be in two groups. In
your case the group lookup will return the first entry returned by the sql
query and y
Hi,
Thanks for your comments Alan.
"Jerlique Ban" <[EMAIL PROTECTED]> wrote:
> I've now switched to using freeradius 1.0.0-pre3 on freebsd. I am
> trying to authenticate users via my Exec-Program call, which does a
> whole lot of other queries and tests b
"Jerlique Ban" <[EMAIL PROTECTED]> wrote:
> I've now switched to using freeradius 1.0.0-pre3 on freebsd. I am trying to
> authenticate users via my Exec-Program call, which does a whole lot of other
> queries and tests before granting access. It all works if a PAP r
Hi,
I've now switched to using freeradius 1.0.0-pre3 on freebsd. I am trying to
authenticate users via my Exec-Program call, which does a whole lot of other
queries and tests before granting access. It all works if a PAP request is
made, but fails on a CHAP request. Now I understand that
Amedzekor Kafui wrote:
> What about if i don't want the reply attributes to
> echoed to the screen but i want them sent to the NAS,
> can I just put for example
Your script just has to output attributes to STDOUT, so that FreeRadius can
read them in and then send them to the NAS.
If you want to al
n DeKok <[EMAIL PROTECTED]> wrote:
> Amedzekor Kafui <[EMAIL PROTECTED]> wrote:
> > If the exec-program-wait is written in C/C++ do I
> > necessarily need to system ("echo
> Framed-IP-Address =
> > 255.255.255.255") to get the replies back to the
> NAS.
Amedzekor Kafui <[EMAIL PROTECTED]> wrote:
> If the exec-program-wait is written in C/C++ do I
> necessarily need to system ("echo Framed-IP-Address =
> 255.255.255.255") to get the replies back to the NAS.
>
> Can I use printf to achieve the same effect?
Ye
Hello
If the exec-program-wait is written in C/C++ do I
necessarily need to system ("echo Framed-IP-Address =
255.255.255.255") to get the replies back to the NAS.
Can I use printf to achieve the same effect?
Thanks.
Kafui Amedzekor.
Exec-Program-Wait = "/opt/radius1/bin/auth.pl"
Everything runs fine, except the attributes output by the script (attr
=
value seperated by newlines) are not added to the reply as you can see
in
this debugging output:
auth: type Local
auth: user supplied User-Password mat
t: Monday, July 26, 2004 4:16 PM
Subject: Re: Exec-Program-Wait attributes not included in Access-Accept
> On Mon, Jul 26, 2004 at 03:58:37PM +0200, Thor Spruyt wrote:
> > I have freeradius 0.9.3 running with Postgresql database backend.
> > The only thing the radius checks is the passw
:
> DEFAULT Auth-Type = Local
> Exec-Program-Wait = "/opt/radius1/bin/auth.pl"
> Everything runs fine, except the attributes output by the script (attr =
> value seperated by newlines) are not added to the reply as you can see in
> this debugging out
Hi,
I have freeradius 0.9.3 running with Postgresql database backend.
The only thing the radius checks is the password and then executes an
external script if authentication is ok.
The section in the users file is:
DEFAULT Auth-Type = Local
Exec-Program-Wait = "
Andrea Gabellini <[EMAIL PROTECTED]> wrote:
> I need to use Exec-Program, but I need also the Sql-Group variable.
> Actually It's not passed to the environment.
The request items are added to the environment in Exec-Program-Wait.
That can't be changed. if SQL-Group isn&
Hi,
I need to use Exec-Program, but I need also the Sql-Group variable.
Actually It's not passed to the environment.
Is is possible to add it?
Andrea
---
A real friend is someone who believes in you when you have ceased to
believe in you
"Rob Hartzenberg (iCabs)" <[EMAIL PROTECTED]> wrote:
> Well, see, I tried and failed. The Group command works fine with the MySQL
> module on some of the other solutions I have setup, but I have not managed
> to get it to work nicely with the system groups.
The Group attribute is intended to be
Hey
>
> Huh? Why not just use the "Group" attribute, which does
> Unix group checking for you?
>
> Alan DeKok.
>
Well, see, I tried and failed. The Group command works fine with the MySQL
module on some of the other solutions I have setup, but I have not managed
to get it to work nicel
"Rob Hartzenberg (iCabs)" <[EMAIL PROTECTED]> wrote:
> To get freeradius to work with the system groups of "users / 100" and "email
> / 200"
> I searched around the new archives until I came up with a solution that uses
> Exec-Program-Wait function.
>
> My Question here is, What sort of system load can I expect from doing
this?
> We currently have 200+ users on the box and all seems well, but what
happens
> when we get to 1000+ etc, will it still hold up? Is it a potential
> bottleneck, or is it clean enough?
for me, considering RDBMS, yes.
ter to only enable email access.
To get freeradius to work with the system groups of "users / 100" and "email
/ 200"
I searched around the new archives until I came up with a solution that uses
Exec-Program-Wait function.
Ref:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg04
"Milver S. Nisay" <[EMAIL PROTECTED]> wrote:
> My problem is that I would like to make use of Exec-Program-Wait to
> execute a script in order to process some additional authentication
> parameters. Is there anyway I can do this since I'm using MySQL for
> a
On Mon, May 17, 2004 at 01:40:08PM +0200, Joe Borg wrote:
> Thanks for the tip. By any chance, would you be able to refer me to some
> documentation/information on how to go about doing this? I'm still
> somewhat green to MySQL. Thanks.
If you already understand how to use the users file, then the
, thereby bypassing the use of the
users file). My problem is that I would like to make use of Exec-Program-Wait
to execute a script in order to process some additional authentication
parameters. Is there anyway I can do this since Im using MySQL for
authorisation?
YES
t: 17 May 2004 12:36
To: [EMAIL PROTECTED]
Subject: Re: Freeradius with MySQL and Exec-Program-Wait
On Mon, May 17, 2004 at 12:14:40PM +0200, Joe Borg wrote:
> I'm in the process of seeting up a new RADIUS server using Freeradius.
I
> intend using MySQL for Authorisation and Accounting
configured for use
> in Radiusd.conf, thereby bypassing the use of the users file). My
> problem is that I would like to make use of Exec-Program-Wait to execute
> a script in order to process some additional authentication parameters.
> Is there anyway I can do this since I'm using M
problem is that I would like to make use of Exec-Program-Wait
to execute a script in order to process some additional authentication
parameters. Is there anyway I can do this since I’m using MySQL for authorisation?
Thanks,
Joe
s are
correct.
Exec-Program = "/bin/sh /home/radius/test.sh"
fixes the problem.
--mel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pr 13, 2004, at 20:53, mel wrote:
A simple test script:
echo "hello" > rad.txt
acct_users:
testuser Password == "test123"
Exec-Program = "sh /home/radius/test.sh"
It does not produce the rad.txt. tesh.sh has
the correct permission and it is executable.
Leav
A simple test script:
echo "hello" > rad.txt
acct_users:
testuser Password == "test123"
Exec-Program = "sh /home/radius/test.sh"
It does not produce the rad.txt. tesh.sh has
the correct permission and it is executable.
Leaving out the "sh" to just
Karl Pielorz <[EMAIL PROTECTED]> wrote:
> If I remove the "Exec-Program-Wait" from the radreply table, then post-auth
> get's invoked when the user logs in.
>
> Are the two mutually exclusive?
Yes. You should use rlm_exec instead.
Alan DeKok.
-
List inf
led 'users'. When the user logs
in, from the radreply table, I return:
Session-Timeout := 7200
Exec-Program-Wait = "/usr/local/radius/bin/pre-auth"
From the 'radgroupreply' for the group 'users' I also return:
Service-Type := Framed
Framed-Protocol := PPP
E
Zoilo <[EMAIL PROTECTED]> wrote:
> The nicest way to do this I think is if I can inject some
> 'Exec'-attributes into the reply chain, but they should always be
> executed on the *Local* Server, never on the Remote Server. In this way
> I could just attach e.g. Exec
icest way to do this I think is if I can inject some
'Exec'-attributes into the reply chain, but they should always be
executed on the *Local* Server, never on the Remote Server. In this way
I could just attach e.g. Exec-Program=S2 and Exec-Program=P2 to the
reply chain on the remote
Alan DeKok wrote:
Zoilo <[EMAIL PROTECTED]> wrote:
Can I somehow have the rlm_passwd module add an 'Exec-Program' attribute
to the reply chain?
Yes. See doc/rlm_passwd for how to do it.
Thanks Alan, sorry for not being precise.
The problem is that for all users in t
Zoilo <[EMAIL PROTECTED]> wrote:
> Can I somehow have the rlm_passwd module add an 'Exec-Program' attribute
> to the reply chain?
Yes. See doc/rlm_passwd for how to do it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I authorize users either against rlm_passwd or a radius proxy.
Now I want to exec a program only if the user was authorized against
rlm_passwd. What is the nicest way to do this?
Can I somehow have the rlm_passwd module add an 'Exec-Program' attribute
to the reply chain?
Or should
"Nathan Miller" <[EMAIL PROTECTED]> wrote:
> Noticed the new rlm_exec functionality after upgrading from 0.8.1 -> 0.9.3.
> I currently use Exec-Program-Wait in the users file extensively to do
> external authentications. Is rlm_exec eventually going to phase out
Noticed the new rlm_exec functionality after upgrading from 0.8.1 -> 0.9.3.
I currently use Exec-Program-Wait in the users file extensively to do
external authentications. Is rlm_exec eventually going to phase out
Exec-Program-Wait function?
I ask mainly because I have tried doing the same th
Fri, 23 Jan 2004, Alan DeKok писал(а):
> Andrei Loukinykh <[EMAIL PROTECTED]> wrote:
> > So I started FR as root:daemon and gave the same own's to the program.
> > Still the same.
> > May be FR changes effective uid/gid for the external program it runs...?
>
> No.
>
> Can you say what platf
Andrei Loukinykh <[EMAIL PROTECTED]> wrote:
> So I started FR as root:daemon and gave the same own's to the program.
> Still the same.
> May be FR changes effective uid/gid for the external program it runs...?
No.
Can you say what platform you're running on?
Alan DeKok.
-
List info/subs
Fri, 23 Jan 2004, Albert Miles Enabe писал(а):
> In my Linux box, my radiusd starts up as a daemon, so I did this:
>
> chown daemon:root setexpiredate
>
> where setexpiredate is an external C program specified in Exec-Program
> in radiusd.conf.
May be it's stupid, b
sion are you using? If you're not using 0.9.3, upgrade to
> > it, and then see if the problem persists.
> 0.9.3. And the problem persists as i wrote before unless I start it
> with
> '-X'.
In my Linux box, my radiusd starts up as a daemon, so I did this:
chown daemon:r
Thu, 22 Jan 2004, Alan DeKok писал(а):
> Andrei Loukinykh <[EMAIL PROTECTED]> wrote:
> > I'm trying to get my external program to work ( which is in fact -
> > a billing program for users' accounting)
>
> Which version are you using? If you're not using 0.9.3, upgrade to
> it, and then see if
Andrei Loukinykh <[EMAIL PROTECTED]> wrote:
> I'm trying to get my external program to work ( which is in fact -
> a billing program for users' accounting)
Which version are you using? If you're not using 0.9.3, upgrade to
it, and then see if the problem persists.
Alan DeKok.
-
List info/s
Thu, 22 Jan 2004, Christian Richter писал(а):
> Better should be to let Freeradius access the needed files as nobody.
> Other idea is to put the binary in a group, where it can read the files
> (chown : ).
> To get the user-id simply type " ps -ux " and search for freeradius.
Hmmm .. I starte
Andrei Loukinykh wrote:
As in default configuration. nobody/nogroup.
Seems I need to change it to something with root privileges...
to let my program operate in /var/run.. or elsewhere it needs to.
Thank you, I'll try ...
Best regards,
Andy
Better should be to let Freeradius access the needed
Thu, 22 Jan 2004, Dennis Roos писал(а):
> On Thu, 2004-01-22 at 14:25, Andrei Loukinykh wrote:
>
> > What changes happens with external program execution when FR runs in
> > debug mode?
> When run in debug mode, AFAIK freeradius doesn't drop root priviliges.
>
> What user/group does your freer
On Thu, 2004-01-22 at 14:25, Andrei Loukinykh wrote:
> What changes happens with external program execution when FR runs in
> debug mode?
When run in debug mode, AFAIK freeradius doesn't drop root priviliges.
What user/group does your freeradius run as when started without -X
--
Regards,
Denn
Hello freeradius-users,
I'm trying to get my external program to work ( which is in fact -
a billing program for users' accounting)
I have in /etc/acct_users:
DEFAULT Acct-Status-Type == Start
Exec-Program = "/usr/bin/billing -d"
I couldn't get it work t
201 - 275 of 275 matches
Mail list logo
