Hello, I have downloaded the source code and built and installed freeradius server 3.0.16 on Ubuntu 17. I want to create new modules. I have only found good info on one site "Creating modules for FreeRADIUS v3.0.x". Any pointers to other sites - I have only just started working with Radius. My main question, do I have to full radius compile, build and install again. Is there a way of just compiling the module so that the server will pick it up? For example I want to make a small change in the rlm_pap.c file Many thanks Jonathan
On Nov 24, 2017, at 10:04 AM, Jonathan Anthony <jonathan.anthony@siliconsafe.com> wrote:
I have downloaded the source code and built and installed freeradius server 3.0.16 on Ubuntu 17. I want to create new modules. I have only found good info on one site "Creating modules for FreeRADIUS v3.0.x". Any pointers to other sites - I have only just started working with Radius.
See src/modules/rlm_example/ It has some example code for doing things.
My main question, do I have to full radius compile, build and install again.
That's the easiest way.
Is there a way of just compiling the module so that the server will pick it up? For example I want to make a small change in the rlm_pap.c file
If the pre-built binary is from the same source you're using, then you should be able to just modify the module. But you can't mix & match from (say) a debian package of 3.0.15, and your own custom rlm_pap. And why make changes to rlm_pap? Unlang can do most of what you need. And if you need something else, maybe other people need it too, and therefore sending the patches back would be useful. Alan DeKok.
Thank you Alan for your help. I am still a little confused. What we are doing is that we have a secure box for storing, initially usernames and passwords using our own built hardware/software. 1. We want to write a "plug-in" which I assume will be a module, so that when authenticating a user, it will send a command to our box. The box returns simply yes or no depending if the password matches. I thought rlm_pap authenticates using the flat users file. So we assumed that if we modified pap, this would work. Sorry if this is stupid question but I have just started with Radius 2. Say our authentication is called SNAP. How does the radius server select our module to authenticate. I did notice a "hints" file but not sure how this will work. Many thanks Jonathan Anthony -----Original Message----- From: Freeradius-Devel [mailto:freeradius-devel-bounces+jonathan.anthony=siliconsafe.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, November 24, 2017 5:01 PM To: FreeRadius developers mailing list <freeradius-devel@lists.freeradius.org> Subject: Re: Compiling modules On Nov 24, 2017, at 10:04 AM, Jonathan Anthony <jonathan.anthony@siliconsafe.com> wrote:
I have downloaded the source code and built and installed freeradius server 3.0.16 on Ubuntu 17. I want to create new modules. I have only found good info on one site "Creating modules for FreeRADIUS v3.0.x". Any pointers to other sites - I have only just started working with Radius.
See src/modules/rlm_example/ It has some example code for doing things.
My main question, do I have to full radius compile, build and install again.
That's the easiest way.
Is there a way of just compiling the module so that the server will pick it up? For example I want to make a small change in the rlm_pap.c file
If the pre-built binary is from the same source you're using, then you should be able to just modify the module. But you can't mix & match from (say) a debian package of 3.0.15, and your own custom rlm_pap. And why make changes to rlm_pap? Unlang can do most of what you need. And if you need something else, maybe other people need it too, and therefore sending the patches back would be useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
On Mon, 2017-11-27 at 10:01 +0000, Jonathan Anthony wrote:
I am still a little confused. What we are doing is that we have a secure box for storing, initially usernames and passwords using our own built hardware/software. 1. We want to write a "plug-in" which I assume will be a module, so that when authenticating a user, it will send a command to our box. The box returns simply yes or no depending if the password matches. I thought rlm_pap authenticates using the flat users file. So we assumed that if we modified pap, this would work. Sorry if this is stupid question but I have just started with Radius
No, the rlm_files reads the flat users file. It can, as an example, set the Cleartext-Password attribute with the known password of the user. rlm_pap checks that the User-Password supplied in the RADIUS request matches with the password in the Cleartext-Password, Password-with- Header or other similar attributes. So combined they will do what you are thinking. The usual method is to supply the password from the database (I guess in this case your own solution) to the RADIUS server, and then the RADIUS server checks that the password is correct. The password can be supplied by many means - hence rlm_files (users file), rlm_ldap (read from LDAP), rlm_sql (read from an SQL database), etc.
2. Say our authentication is called SNAP. How does the radius server select our module to authenticate. I did notice a "hints" file but not sure how this will work.
As an example, in the authorize{} section the files module will read the Cleartext-Password for the user, and the pap module will detect that there is a Cleartext-Password and a User-Password (supplied in the request) and set the Auth-Type to "PAP". Then the server calls the authenticate{} section called "PAP", which again calls the pap module to check that the username and password are correct. You can mix and match these as you like, or set Auth-Type yourself (though this is not recommended, most people get it wrong). I guess the main question is why you need to write a C module to talk to your solution. What protocols do you support. For instance, if you have an HTTP REST API, then you can already use rlm_rest to talk to it. Read the "concepts" and "getting started" pages on the wiki for another explanation of how the server works. -- Matthew
On Nov 27, 2017, at 5:01 AM, Jonathan Anthony <jonathan.anthony@siliconsafe.com> wrote:
Thank you Alan for your help. I am still a little confused. What we are doing is that we have a secure box for storing, initially usernames and passwords using our own built hardware/software. 1. We want to write a "plug-in" which I assume will be a module, so that when authenticating a user, it will send a command to our box. The box returns simply yes or no depending if the password matches. I thought rlm_pap authenticates using the flat users file. So we assumed that if we modified pap, this would work. Sorry if this is stupid question but I have just started with Radius
The documentation for each module *does* say exactly what the module does and how it works...
2. Say our authentication is called SNAP. How does the radius server select our module to authenticate. I did notice a "hints" file but not sure how this will work.
Don't write your own module. Use an existing one. Maybe rlm_rest, as Matthew suggested. If you need custom code, write it in Perl or Python. That solves a few problems. * if you're not familiar with the FreeRADIUS internals... you shouldn't write a module. It's not trivial to do it correctly. * if you distribute FreeRADIUS with your custom module, the module *must* fall under the GPL. So people can ask for source for your module. If you don't give it to them you lose all rights under the GPL and can no longer distribute FreeRADIUS * writing custom code in Perl or Python means you work with attributes (i.e. things you see), not the internal API. This is much, much, easier. Plus, it bypasses GPL issues. Alan DeKok.
participants (3)
-
Alan DeKok -
Jonathan Anthony -
Matthew Newton