Conditional only returns False
Hi, I'm trying to do an additional check for users contained on an Active Directory domain using information stored in a MySQL database. I'm using PEAP to check the users' credentials in the domain and that is working fine. The FreeRADIUS version is 2.1.12 on a CentOS 6. But when I add the following code after ntdomain in the file raddb/sites-enabled/inner-tunnel (I need the Stripped-User-Name), the check returns False even though the script output apparently matches the conditional. ntdomain if ("%{exec:/etc/raddb/scripts/user_check.py %{Stripped-User-Name}}" == "Accept") { update control { Auth-Type := "Accept" } } else { update control { Auth-Type := "Reject" } } Running the script manually with one argument shows the expected output. This is the output of radiusd -X ... [ntdomain] Looking up realm "NTDOMAIN" for User-Name = "NTDOMAIN\daniel.carrington" [ntdomain] Found realm "NTDOMAIN" [ntdomain] Adding Stripped-User-Name = "daniel.carrington" [ntdomain] Adding Realm = "NTDOMAIN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++? if ("%{exec:/etc/raddb/scripts/user_check.py %{Stripped-User-Name}}" == "Accept") Executing /etc/raddb/scripts/user_check.py %{Stripped-User-Name} expand: %{Stripped-User-Name} -> daniel.carrington Exec-Program output: Accept Exec-Program-Wait: plaintext: Accept Exec-Program: returned: 0 result 0 expand: %{exec:/etc/raddb/scripts/user_check.py %{Stripped-User-Name}} -> Accept ? Evaluating ("%{exec:/etc/raddb/scripts/user_check.py %{Stripped-User-Name}}" == "Accept") -> FALSE ++? if ("%{exec:/etc/raddb/scripts/user_check.py %{Stripped-User-Name}}" == "Accept") -> FALSE ++- entering else else {...} +++[control] returns ok ++- else else returns ok ++[control] returns ok [eap] EAP packet type response id 7 length 25 [eap] No EAP Start, assuming it's an on-going EAP conversation [eap] WARNING: Auth-Type already set. Not setting to EAP ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = Reject Auth-Type = Reject, rejecting user Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE ... And this is the content of raddb/modules/exec: exec { wait = yes input_pairs = request shell_escape = yes output = none } Is there something wrong with this setup? Thanks in advance!
participants (1)
-
Bruno de Paula Larini