On Mar 19, 2008, at 11:34, T Kid82 wrote:
You have put significant effort into butchering the default configuration. Why?
I got this from the comments in exec-program-wait (which has been deprecated) where it explains how to use rlm_exec. It says,
"An entry for the module 'rlm_exec' must be added to the file 'radiusd.conf' with the path of the script."
authorize { ... exec ... }
I also added
exec { program = "/usr/local/etc/raddb/authenticate" wait = yes input_pairs = request output_pairs = reply }
to my radiusd.conf which is also from the comments in exec-program- wait
Why would this let all users through? I thought that since I am always returning 3 to the server, that this would let all users pass through.
you didn't set Auth-Type Where do I set the Auth-Type. Can you provide a sample code snippet on how to do this? Or perhaps a link to the doc.
If you think this isn't necessary, then you need to spend more time understanding how the server works. I dont know either way. Thats why I decided to mail the list. I have looked through quite a bit of documentation but I didnt find much on this particular module
Its not obvious what you are really trying to accomplish. However, I suspect you would like to use your own special criteria for determining if access should be permitted. rlm_exec is a very inefficent way to do that. You can make it work, but it will require extensive forks and perform rather poorly. rlm_perl works a whole lot better. However, if you are really concerned about performance, you should consider rolling your own module. There is an example of how to do that in the wiki. That will give you the best performance as you will not incur the perl overhead either. There is a really big difference between authorization and authentication modules. Creating an authorization module is probably all you need to do. Authentication modules require much more than just including them in the list of authentication modules. I understand that you also might have to modify the base radiusd code for them in addition to creating a module that requires some very special structuring. Freeradius separates the concepts of authentication from authorization to relieve you of the details of some of the very complex authentication schemes. Generally all you need to deal with is authorization. If you use the default authentication setup, radiusd will figure out which method to use and take care of it. If you are going to make major mods to the configuration, you will need to start reading the source code. There just isn't that much documented beyond that.