Re: Access-Reject in a php script
Hi everyone! Thank your for your answers... Alan, Patric has totally right. I've set the reject_delay to "0" and the result was the same. I really don't want to touch to the source code and I am sure we can find another way 1) if there is a server timeout, is it assumed as an Access-reject (or does the user will be given access ?) 2) for instance, executing a script from another language which exit 2 from PHP...I tried it with a sh script and it does not work 3) If I reply with a Session-Timeout := 0...may be it will be the same effect (I know it is not clean but I have no other choice 4) If the previous solutions do not work, I will probably have to change the code...so Patric, I think the name of the file has changed: it is rlm_exec.c instead of exec.c. Also, After compiling it, could you give some hints to uninstall the previous version and to install the new version properly. Thank you for your comprehension. Khalid ps:Sorry, I sent that email twice but the "Subject" of the previous one was wrong.
manIP wrote:
Hi,
I have put exit(2) but as Patric said, freeradius thinks that the script failed and does not respond to the access-request. In the client side, there is a server time out...I don't know if that server time out is assumed as an Access-Reject?
No it does not assume an access-reject - it registers it as no response, which is undesirable.
As Alan said : "It delays the Access-Reject. See the debug output." I tried setting "reject_delay = 0" in the radius.conf but that did not help.
May be the problem comes from PHP and I could use the UNIX system() function send back the code 2.
I believe that this specific scenario only occurs with PHP as I said before, because of the way it sends its status codes (in the exit call). I don't know how else to do it, which is why I changed the code for my use...
--
Q: I want to be a sysadmin. What should I do?
A: Seek professional help.
manIP wrote:
1) if there is a server timeout, is it assumed as an Access-reject (or does the user will be given access ?)
Yes.
2) for instance, executing a script from another language which exit 2 from PHP...I tried it with a sh script and it does not work
Nonsense. See the FAQ for "it doesn't work".
3) If I reply with a Session-Timeout := 0...may be it will be the same effect (I know it is not clean but I have no other choice
No.
4) If the previous solutions do not work, I will probably have to change the code...so Patric, I think the name of the file has changed: it is rlm_exec.c instead of exec.c. Also, After compiling it, could you give some hints to uninstall the previous version and to install the new version properly.
There is no need to change the code. If your script exits with a non-zero exit code, then the authentication fails. If this isn't happening, then something else is going on, or you're not doing what you're saying you're doing. Rather than discuss what you think you're doing, post the debug output. This is in the FAQ, README, and INSTALL. The debug output WILL tell you what's going on. There is no extra magic we have in reading the debug output. But we READ IT. Alan DeKok.
Alan DeKok wrote:
There is no need to change the code.
If your script exits with a non-zero exit code, then the authentication fails. If this isn't happening, then something else is going on, or you're not doing what you're saying you're doing.
Rather than discuss what you think you're doing, post the debug output. This is in the FAQ, README, and INSTALL. The debug output WILL tell you what's going on.
There is no extra magic we have in reading the debug output. But we READ IT.
Alan DeKok.
I am sure that Alan is correct here, otherwise many other users would have the same problem. With such a large user base, there *must* be other people using php authentication scripts, yet so far only 2 of us have battled?! Something just occurred to me that I dont think I tried before. What happens if instead of doing an exit(2); you do a return(2); This way your script will still exit clean, so freeradius wont pick it up as a script failure, but hopefully will still get the result? -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. ---------------------------------------------------------------------- Finally - A spam blocker that actually works. http://www.bluebottle.com/tag/4
Patric wrote:
Something just occurred to me that I dont think I tried before. What happens if instead of doing an
exit(2);
you do a
return(2);
This way your script will still exit clean, so freeradius wont pick it up as a script failure, but hopefully will still get the result?
No. If the script succeeds, the output is either a text message, or RADIUS attributes that go into an Access-Accept. If the script fails, the server sends an Access-Reject. Stop playing games with PHP and post the output of "radiusd -X". I'll bet money that the solution is right there in the debug output. Alan DeKok.
Alan DeKok wrote:
Patric wrote:
Something just occurred to me that I dont think I tried before. What happens if instead of doing an
exit(2);
you do a
return(2);
This way your script will still exit clean, so freeradius wont pick it up as a script failure, but hopefully will still get the result?
No. If the script succeeds, the output is either a text message, or RADIUS attributes that go into an Access-Accept.
If the script fails, the server sends an Access-Reject.
Stop playing games with PHP and post the output of "radiusd -X". I'll bet money that the solution is right there in the debug output.
According to the code you are 100% correct : result = radius_exec_program(inst->program, request, inst->wait, NULL, 0, in, &answer); if (result != 0) { radlog(L_ERR, "rlm_exec (%s): External script failed", inst->xlat_name); return RLM_MODULE_FAIL; } For some reason I could not get freeradius to return an access-reject before the request timed out, even when I set "reject_delay = 0" I think I understand you now, and that is where my problem lay - I should have figured out why the reject was not being sent back in time, instead of changing the code? Is that right? -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. ---------------------------------------------------------------------- Get a free email account with anti spam protection. http://www.bluebottle.com/tag/2
manIP wrote:
Hi everyone!
Thank your for your answers... Alan, Patric has totally right. I've set the reject_delay to "0" and the result was the same. I really don't want to touch to the source code and I am sure we can find another way
1) if there is a server timeout, is it assumed as an Access-reject (or does the user will be given access ?)
It is not assumed as an access-reject, it is taken as a no-response, which is not desirable, but the outcome is the same - The user will be denied access.
2) for instance, executing a script from another language which exit 2 from PHP...I tried it with a sh script and it does not work 3) If I reply with a Session-Timeout := 0...may be it will be the same effect (I know it is not clean but I have no other choice
I dont think you want to do this. If for example, the client has been set to reconnect on disconnect, you will be flooded with connection attempts.
4) If the previous solutions do not work, I will probably have to change the code...so Patric, I think the name of the file has changed: it is rlm_exec.c instead of exec.c. Also, After compiling it, could you give some hints to uninstall the previous version and to install the new version properly.
Yes the file name is rlm_exec.c What I did was download the source rpm, install it, make the changes in the /usr/src/redhat/BUILD/ directory, change the version in the spec file, and build an rpm. This way you can manage your installation much better.
Thank you for your comprehension. Khalid
HTH -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. ---------------------------------------------------------------------- Finally - A spam blocker that actually works. http://www.bluebottle.com/tag/4
participants (3)
-
Alan DeKok -
manIP -
Patric