hi there, im stuck in configure a simple "exec" solution. my site config looks like this: //================ START ================ authorize{ # exec update control { Auth-Type := `/usr/bin/php -f /foo/bar/baz.php --username '%{User-Name}' --password '%{User-Password}' --ip '%{Client-IP-Address}'` } } //================ END ================ so this works fine, i get the params and can handle this request. my php-script std-out response looks like this: //================ START ================ Accept WISPr-Bandwidth-Max-Up = xxx WISPr-Bandwidth-Max-Down = xxx WISPr-Redirection-URL = http://google.com //================ END ================ to test this configure, i try with CLI: //================ START ================ $ radtest foo bar localhost 0 testing123 Sending Access-Request of id 145 to 127.0.0.1 port 1812 User-Name = "foo" User-Password = "bar" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=145, length=20 //================ END ================ but i cant see any additinal response attributes, so what sould i do? any suggestions? Greez & thx, volker...
On Sep 22, 2017, at 9:44 AM, Sky <skydiablo@gmx.net> wrote:
hi there,
im stuck in configure a simple "exec" solution. my site config looks like this:
//================ START ================ authorize{ # exec update control { Auth-Type := `/usr/bin/php -f /foo/bar/baz.php --username '%{User-Name}' --password '%{User-Password}' --ip '%{Client-IP-Address}'` }
I would really recommend *not* running PHP on every request. It's very slow.
} //================ END ================
so this works fine, i get the params and can handle this request. my php-script std-out response looks like this:
//================ START ================ Accept WISPr-Bandwidth-Max-Up = xxx WISPr-Bandwidth-Max-Down = xxx WISPr-Redirection-URL = http://google.com //================ END ================
That won't work. When do you: Auth-Type := `/usr/bin/php ...` You're assigning a STRING value to the attribute "Auth-Type". It does not magically treat the first line as the string for Auth-Type, and the rest of the text as attributes. i.e. the server works the way it's documented to work. If you expect that you can do random things and have the server do what you want, computers don't work like that. If you want to add attributes to the packet, you will need to configure the 'exec' module to do that. By following the documentation.
to test this configure, i try with CLI:
//================ START ================ $ radtest foo bar localhost 0 testing123 Sending Access-Request of id 145 to 127.0.0.1 port 1812 User-Name = "foo" User-Password = "bar" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=145, length=20 //================ END ================
but i cant see any additinal response attributes, so what sould i do? any suggestions?
I fail to understand why people look at out output of radtest, and ignore the debug output from the server. Are we not documentation that in enough places? Alan DeKok.
On 22-09-17 15:51, Alan DeKok wrote:
On Sep 22, 2017, at 9:44 AM, Sky <skydiablo@gmx.net> wrote:
hi there,
im stuck in configure a simple "exec" solution. my site config looks like this:
//================ START ================ authorize{ # exec update control { Auth-Type := `/usr/bin/php -f /foo/bar/baz.php --username '%{User-Name}' --password '%{User-Password}' --ip '%{Client-IP-Address}'` }
I would really recommend *not* running PHP on every request. It's very slow.
But still it appears to be something that many users want to use, this isn't exactly the first time someone tries to shell out to run PHP. It makes me wonder if there is an actual demand for a rlm_php module that would embed it. And no, I'm not volunteering to write it. -- Herwin Weststrate
On Sep 25, 2017, at 7:43 AM, Herwin Weststrate <herwin@quarantainenet.nl> wrote:
But still it appears to be something that many users want to use, this isn't exactly the first time someone tries to shell out to run PHP. It makes me wonder if there is an actual demand for a rlm_php module that would embed it. And no, I'm not volunteering to write it.
As PHP has gotten better, I'm inclined to support an rlm_php module. But for a long time, PHP was a security issue masquerading as a language. Which is why I was opposed to including it in the server. Alan DeKok.
You're not using exec. You are making some syntax up. Create a module copies from exec example. Put your stuff into it, give it a suitable ID/name and call that name in your configured instead of exec What's the PHP script doing though? Often things are far better off being done natively alan On 22 Sep 2017 2:44 pm, "Sky" <skydiablo@gmx.net> wrote:
hi there,
im stuck in configure a simple "exec" solution. my site config looks like this:
//================ START ================ authorize{ # exec update control { Auth-Type := `/usr/bin/php -f /foo/bar/baz.php --username '%{User-Name}' --password '%{User-Password}' --ip '%{Client-IP-Address}'` } } //================ END ================
so this works fine, i get the params and can handle this request. my php-script std-out response looks like this:
//================ START ================ Accept WISPr-Bandwidth-Max-Up = xxx WISPr-Bandwidth-Max-Down = xxx WISPr-Redirection-URL = http://google.com //================ END ================
to test this configure, i try with CLI:
//================ START ================ $ radtest foo bar localhost 0 testing123 Sending Access-Request of id 145 to 127.0.0.1 port 1812 User-Name = "foo" User-Password = "bar" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=145, length=20 //================ END ================
but i cant see any additinal response attributes, so what sould i do? any suggestions?
Greez & thx, volker...
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
hmmm... i know, all of you are very family with syntax and handling but
i dont
my current module is .../freeradius/modules/sws.exec
//================== START =================
exec swscheck {
wait = yes
input_pairs = request
output_pairs = reply
program = /usr/bin/php -f /foo/bar/baz.php
shell_escape = yes
}
//================== END =================
but the given site config throw en error:
//================== START =================
authorize {
update control {
swscheck //ERROR: No value given for attribute swscheck
}
}
//================== END =================
some tips ?
Am 22.09.2017 um 18:32 schrieb Alan Buxey:
> You're not using exec. You are making some syntax up. Create a module
> copies from exec example. Put your stuff into it, give it a suitable
> ID/name and call that name in your configured instead of exec
>
> What's the PHP script doing though? Often things are far better off being
> done natively
>
> alan
>
> On 22 Sep 2017 2:44 pm, "Sky" <skydiablo@gmx.net> wrote:
>
>> hi there,
>>
>> im stuck in configure a simple "exec" solution. my site config looks
>> like this:
>>
>> //================ START ================
>> authorize{
>> # exec
>> update control {
>> Auth-Type := `/usr/bin/php -f /foo/bar/baz.php --username
>> '%{User-Name}' --password '%{User-Password}' --ip '%{Client-IP-Address}'`
>> }
>> }
>> //================ END ================
>>
>> so this works fine, i get the params and can handle this request. my
>> php-script std-out response looks like this:
>>
>> //================ START ================
>> Accept
>> WISPr-Bandwidth-Max-Up = xxx
>> WISPr-Bandwidth-Max-Down = xxx
>> WISPr-Redirection-URL = http://google.com
>> //================ END ================
>>
>> to test this configure, i try with CLI:
>>
>> //================ START ================
>> $ radtest foo bar localhost 0 testing123
>> Sending Access-Request of id 145 to 127.0.0.1 port 1812
>> User-Name = "foo"
>> User-Password = "bar"
>> NAS-IP-Address = 127.0.1.1
>> NAS-Port = 0
>> Message-Authenticator = 0x00000000000000000000000000000000
>> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=145,
>> length=20
>> //================ END ================
>>
>> but i cant see any additinal response attributes, so what sould i do?
>> any suggestions?
>>
>> Greez & thx, volker...
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 25, 2017, at 7:23 AM, Sky <skydiablo@gmx.net> wrote:
hmmm... i know, all of you are very family with syntax and handling but i don't
The documentation describes how the modules work. The documentation describes the syntax of the configuration files.
my current module is .../freeradius/modules/sws.exec
//================== START ================= exec swscheck { wait = yes input_pairs = request output_pairs = reply program = /usr/bin/php -f /foo/bar/baz.php shell_escape = yes } //================== END =================
That's fine. And no, you don't need to put ====HUGE BARS=== around the quoted text. We *can* figure it out.
but the given site config throw en error:
//================== START ================= authorize { update control { swscheck //ERROR: No value given for attribute swscheck } } //================== END =================
some tips ?
Read the documentation and examples to see what the *correct* syntax is? See "man unlang", and look for the documentation on modules. i.e. you can't just invent things and expect them to work. It also helps to *understand* how the configuration files work. The documentation does a pretty good job of explaining this. As a hint: "swscheck" isn't an attribute, and therefore doesn't belong in an "update" section. Again, read the "man unlang" documentation to see what the "update" section does. Or, read the dozens of examples in the configuration files, which show the same thing. Alan DeKok.
participants (4)
-
Alan Buxey -
Alan DeKok -
Herwin Weststrate -
Sky