external auth script

Fri Jul 22 00:27:22 CEST 2016

Hi,

If you really have to use PHP for auth I suggest you run it through a web
server in a FPM mode and then use rlm_rest to actually query your script.
Might require slightly more work but will definitely scale much better then
exec.

kind regards
Pshem

On Fri, 22 Jul 2016 at 10:15 Matthew Newton <mcn4 at leicester.ac.uk> wrote:

> On Thu, Jul 21, 2016 at 09:25:44PM +0000, Janis Heller wrote:
> > authorize {
> >       exec
> > }
>
> Yes
>
> > #  Authentication.
> > authenticate {
> >       exec
> > }
>
> No
>
>
> > <?php
> > if ($argv[1] == 'testing' && $argv[2] == 'password')
> > {
> >       echo "Accept";
>
> That's not what I wrote.
>
> "Auth-Type := Accept"
>
> >       return (0);
> > }
> > else
> >       echo "REJECT";
>
> Similarly,
>
> "Auth-Type := Reject"
>
> > It seems like the returned value of my PHP script is incorrect?
>
> Yes.
>
> You need "output_pairs = config" in your exec config as well, as I
> previously wrote.
>
> The script output is taken as an attribute list, in the same way
> as you'd put in the users file, or feed to radclient, or is output
> from the detail writer. It tells FreeRADUS what attributes to
> create, with which values.
>
>
> On Thu, Jul 21, 2016 at 09:40:06PM +0000, Janis Heller wrote:
> > Please I would like to use exec.
>
> Arran is right. Please don't complain here if you get it working,
> and then find that it stops after a short while because it can't
> cope with the workload.
>
> exec for auth is a really bad idea.
>
> But he was probably being a bit too kind about PHP.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html