rlm_exec use

Doug Hardie bc979 at lafn.org
Wed Mar 19 20:27:03 CET 2008 

On Mar 19, 2008, at 11:34, T Kid82 wrote:
>> You have put significant effort into butchering the default
> configuration.  Why?
>
> I got this from the comments in exec-program-wait (which has been
> deprecated) where it explains how to use rlm_exec. It says,
>
> "An entry for the module 'rlm_exec' must be added to the file
> 'radiusd.conf' with the path of the script."
>
> authorize {
> 	...
> 	exec
> 	...
> }
>
> I also added
>
> exec {
>            program = "/usr/local/etc/raddb/authenticate"
> 		wait = yes
> 	        input_pairs = request
> 		output_pairs = reply
>        }
>
> to my radiusd.conf which is also from the comments in exec-program- 
> wait
>
>
>> Why would this let all users through?
> I thought that since I am always returning 3 to the server, that this
> would let all users pass through.
>
>> you didn't set Auth-Type
> Where do I set the Auth-Type. Can you provide a sample code snippet on
> how to do this? Or perhaps a link to the doc.
>
>> If you think this isn't necessary, then you need to spend more time  
>> understanding how the server works.
> I dont know either way. Thats why I decided to mail the list. I have
> looked through quite a bit of documentation but I didnt find much on
> this particular module


Its not obvious what you are really trying to accomplish.  However, I  
suspect you would like to use your own special criteria for  
determining if access should be permitted.  rlm_exec is a very  
inefficent way to do that.  You can make it work, but it will require  
extensive forks and perform rather poorly.  rlm_perl works a whole lot  
better.  However, if you are really concerned about performance, you  
should consider rolling your own module.  There is an example of how  
to do that in the wiki.  That will give you the best performance as  
you will not incur the perl overhead either.

There is a really big difference between authorization and  
authentication modules.  Creating an authorization module is probably  
all you need to do.  Authentication modules require much more than  
just including them in the list of authentication modules.  I  
understand that you also might have to modify the base radiusd code  
for them in addition to creating a module that requires some very  
special structuring.  Freeradius separates the concepts of  
authentication from authorization to relieve you of the details of  
some of the very complex authentication schemes.  Generally all you  
need to deal with is authorization.  If you use the default  
authentication setup, radiusd will figure out which method to use and  
take care of it.

If you are going to make major mods to the configuration, you will  
need to start reading the source code.  There just isn't that much  
documented beyond that.

More information about the Freeradius-Users mailing list