external auth script

Stefan Paetow Stefan.Paetow at jisc.ac.uk
Fri Jul 22 10:19:23 CEST 2016


Because in the authorize section you set the Auth-Type to 'exec'.

So FreeRADIUS expects to see an 'exec' authenticate item.

Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT
No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.





On 22/07/2016, 07:45, "Freeradius-Users on behalf of Janis Heller"
<freeradius-users-bounces+stefan.paetow=jisc.ac.uk at lists.freeradius.org on
behalf of janis.heller at outlook.de> wrote:

>I’ve done some research nearly the whole night.
>From my point of view I only need the authorize{} part. Here’s my entry
>in the default config file:
>
>authorize {
>	    update control {
>	        Auth-Type := exec
>	    }
>}
>
>authenticate {
>	exec
>}
>
>As soon as I delete the entry from „authenticate“ I get an error saying:
>
>/etc/freeradius/sites-enabled/default[58]: Unknown or invalid value
>"exec" for attribute Auth-Type
>/etc/freeradius/sites-enabled/default[56]: Errors parsing authorize
>section.
>
>Here’s my PHP script:
>
><?php
>if ($argv[1] == 'testing' && $argv[2] == 'password')
>{
>	exit (0);
>}
>else
>	exit(2);
>?>
>
>Why did I need to fill exec into the authenticate section too? I just
>want to use radius to send the username & password to my script and whole
>checking process is made by the script.
>
>After I read about „rlm_rest“ building a small web API for validation
>would be the best idea I think, are there some examples how I include the
>„rlm_rest“ for authorize section?  As I already said, I only need radius
>to perform checks in the authorize section, other sections (authorization
>& accounting) can be empty, from my point of view?!
>
>Regards;
>
>janis
>
>> Am 22.07.2016 um 00:27 schrieb Pshem Kowalczyk <pshem.k at gmail.com>:
>> 
>> Hi,
>> 
>> If you really have to use PHP for auth I suggest you run it through a
>>web
>> server in a FPM mode and then use rlm_rest to actually query your
>>script.
>> Might require slightly more work but will definitely scale much better
>>then
>> exec.
>> 
>> kind regards
>> Pshem
>> 
>> 
>> On Fri, 22 Jul 2016 at 10:15 Matthew Newton <mcn4 at leicester.ac.uk>
>>wrote:
>> 
>>> On Thu, Jul 21, 2016 at 09:25:44PM +0000, Janis Heller wrote:
>>>> authorize {
>>>>      exec
>>>> }
>>> 
>>> Yes
>>> 
>>>> #  Authentication.
>>>> authenticate {
>>>>      exec
>>>> }
>>> 
>>> No
>>> 
>>> 
>>>> <?php
>>>> if ($argv[1] == 'testing' && $argv[2] == 'password')
>>>> {
>>>>      echo "Accept";
>>> 
>>> That's not what I wrote.
>>> 
>>> "Auth-Type := Accept"
>>> 
>>>>      return (0);
>>>> }
>>>> else
>>>>      echo "REJECT";
>>> 
>>> Similarly,
>>> 
>>> "Auth-Type := Reject"
>>> 
>>>> It seems like the returned value of my PHP script is incorrect?
>>> 
>>> Yes.
>>> 
>>> You need "output_pairs = config" in your exec config as well, as I
>>> previously wrote.
>>> 
>>> The script output is taken as an attribute list, in the same way
>>> as you'd put in the users file, or feed to radclient, or is output
>>> from the detail writer. It tells FreeRADUS what attributes to
>>> create, with which values.
>>> 
>>> 
>>> On Thu, Jul 21, 2016 at 09:40:06PM +0000, Janis Heller wrote:
>>>> Please I would like to use exec.
>>> 
>>> Arran is right. Please don't complain here if you get it working,
>>> and then find that it stops after a short while because it can't
>>> cope with the workload.
>>> 
>>> exec for auth is a really bad idea.
>>> 
>>> But he was probably being a bit too kind about PHP.
>>> 
>>> Matthew
>>> 
>>> 
>>> --
>>> Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
>>> 
>>> Systems Specialist, Infrastructure Services,
>>> I.T. Services, University of Leicester, Leicester LE1 7RH, United
>>>Kingdom
>>> 
>>> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See
>>http://www.freeradius.org/list/users.html
>
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list