3.0.4: proxy-to-vserver and proxied post-auth?
Hello, I've migrated almost all my virtual servers - but one - to 3.0.4. There's one thing which I had expected to work, but it doesn't, but I do recall some discussions around this on the list; but not what the final verdict was. My proxied-to vserver needs to do some stuff in post-auth. However it looks like post-auth is not actually called; instead, only the post-auth of the original vserver is. Is that desired/expected behaviour in 3.0.4? The symptoms of this boils down to these two lines: Debug: (55) modsingle[authenticate]: returned from pap (rlm_pap) for request 55 Debug: (55) [pap] = ok Debug: (55) } # Auth-Type PAP = ok Debug: (55) Empty post-proxy section. Using default return values. Debug: (55) Found Auth-Type = Accept Debug: (55) Auth-Type = Accept, accepting the user Debug: (55) # Executing section post-auth from file /usr/local/freeradius/config/raddb/sites-enabled/AAI The PAP instance there is the one from the proxied-to vserver; must be, as it knows my password and the retrieval of that password is unique to the vserver in question. The next line speaks about empty post-proxy; that looks like the initial vserver kicks in right after authenticate { } with its PAP is finished. It then executes post-auth from the initial vserver, not the one from proxied-to (the proxied-to vserver is called "staff", not "AAI"). That's not helpful for my setup :-( So... just wondering if this is a bug or if I'm going to need a majorish rethink of my post-auth logic here... Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Stefan Winter wrote:
My proxied-to vserver needs to do some stuff in post-auth. However it looks like post-auth is not actually called; instead, only the post-auth of the original vserver is.
Is that desired/expected behaviour in 3.0.4?
No. I'll go poke it. Right now, the post_auth section is called just before it sends a reply packet. Since the virtual servers don't send reply packets, post_auth doesn't get called. This should be a ~10 line fix. I'll push a fix later today, so it should work tomorrow from the v3.0.x git branch. Alan DeKok.
Hi,
I've pushed a fix. Please try it, and see if it helps.
FWIW, I finally found the time to test it, and it *does* work again with current 3.0.x. Thanks, Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
participants (2)
-
Alan DeKok -
Stefan Winter