Hi, I'm using FreeRADIUS 2.1.3. At the end of the authorize section I need to call a Perl script to do some LDAP checking and either set the Auth-Type to Reject (to forcibly reject a user) or leave it set to whatever value FreeRADIUS has previously set (always LDAP). I used to do this with rlm_perl but it looks like backslashes in the plaintext User-Password attribute causes things to break, and I need a quick fix while I look at what to do about the rlm_perl problem. I have the exec module enabled in the instantiate section of radiusd.conf and I have the following at the end of the authorize section in the sites-enabled/default file: if (control:Auth-Type == LDAP) { update control { Auth-Type = `%{exec:/etc/raddb/facilityUsers.pl %{control:Ldap-UserDn} %{control:Auth-Type}}` } } When I run the basic test with debug (-X) turned on I see the following trace: [snip] radiusd: #### Instantiating modules #### Wed Nov 17 17:36:20 2010 : Debug: instantiate { Wed Nov 17 17:36:20 2010 : Debug: (Loaded rlm_exec, checking if it's valid) Wed Nov 17 17:36:20 2010 : Debug: Module: Linked to module rlm_exec Wed Nov 17 17:36:20 2010 : Debug: Module: Instantiating exec Wed Nov 17 17:36:20 2010 : Debug: exec { Wed Nov 17 17:36:20 2010 : Debug: wait = yes Wed Nov 17 17:36:20 2010 : Debug: input_pairs = "request" Wed Nov 17 17:36:20 2010 : Debug: shell_escape = no Wed Nov 17 17:36:20 2010 : Debug: } [snip] Wed Nov 17 17:49:21 2010 : Info: ++? if (control:Auth-Type == LDAP) Wed Nov 17 17:49:21 2010 : Info: ? Evaluating (control:Auth-Type == LDAP) -> TRUE Wed Nov 17 17:49:21 2010 : Info: ++? if (control:Auth-Type == LDAP) -> TRUE Wed Nov 17 17:49:21 2010 : Info: ++- entering if (control:Auth-Type == LDAP) {...} Wed Nov 17 17:49:21 2010 : Info: Executing /etc/raddb/facilityUsers.pl %{control:Ldap-UserDn} %{control:Auth-Type} Wed Nov 17 17:49:21 2010 : Info: expand: %{control:Ldap-UserDn} -> CN=bill,OU=Facility Users,DC=foo,DC=ac,DC=uk Wed Nov 17 17:49:21 2010 : Info: expand: %{control:Auth-Type} -> LDAP Wed Nov 17 17:49:21 2010 : Debug: Exec-Program output: LDAP Wed Nov 17 17:49:21 2010 : Debug: Exec-Program-Wait: plaintext: LDAP Wed Nov 17 17:49:21 2010 : Debug: Exec-Program: returned: 0 Wed Nov 17 17:49:21 2010 : Info: result 0 Wed Nov 17 17:49:21 2010 : Info: expand: %{exec:/etc/raddb/facilityUsers.pl %{control:Ldap-UserDn} %{control:Auth-Type}} -> LDAP Wed Nov 17 17:49:21 2010 : Debug: Exec-Program output: Wed Nov 17 17:49:21 2010 : Error: Exec-Program: FAILED to execute LDAP: No such file or directory Wed Nov 17 17:49:21 2010 : Debug: Exec-Program-Wait: plaintext: Wed Nov 17 17:49:21 2010 : Error: Exec-Program: FAILED to execute LDAP: No such file or directory Wed Nov 17 17:49:21 2010 : Debug: Exec-Program: returned: 1 Wed Nov 17 17:49:21 2010 : Info: +++[control] returns invalid Wed Nov 17 17:49:21 2010 : Info: ++- if (control:Auth-Type == LDAP) returns invalid Wed Nov 17 17:49:21 2010 : Auth: Invalid user: [bill] (from client localNas port 52340 cli AB-CD-EF-00-00-00) In this case the call to the Perl script (facilityUsers.pl) returns LDAP, but it looks like rlm_exec then tries to execute this result as a command, which fails and then the whole Access-Request message is rejected. I'm clearly doing something wrong, but I can't see what. Can anyone offer any suggestions? Thanks in advance, Mark. -- Scanned by iCritical.