Accessing %{client:...} in C custom module

Boris Lytochkin lytboris at yandex-team.ru
Thu Mar 3 14:34:43 CET 2016 

Hi.

I am trying to add some information on $subj to wiki.freeradius.org and get HTTP/500 persistenly.
Can anybody push this section above `Adding a reply attribute` section:
==========================
Accessing RADIUS client additional attributes
-----------------------------------------
Configuration for a RADIUS client defined in clients.conf can hold arbitrary-named additional attributes. These
attributes may be used for various reasons, for example, to specify client's group name.
These additional attributes are accessible though XLAT expansion in radiusd.conf (``"%{client:...}"``). C module
can access these attributes using:
```c
CONF_PAIR *mycp;
const char *value;
mycp = cf_pair_find(request->client->cs, "group");
value = cf_pair_value(mycp);
```
It extracts ``group`` attribute defined as
client TESTCLIENT {
  ipv4addr       = 10.0.0.2
  secret         = mysupersecret
  nastype        = other
  group          = "mygroup"
}
==========================
?

Thanks.

On 02.03.2016 16:17, Alan DeKok wrote:
> On Mar 2, 2016, at 2:52 AM, Boris Lytochkin <lytboris at yandex-team.ru> wrote:
>> Tried using %{client:group} in radiusd.conf:
>> ====
>> server default {
>>    ...
>>         # Authorization.
>>         authorize {
>>                 preprocess
>>                 auth_log
>>                 reply_log
>>                 suffix
>>                 if (%{client:group} == "8021X") {
>    That syntax is wrong.
>
>> ====
>> running radiusd -X will result in
>> ====
>> ...
>> (7)     if (%{client:group} == "8021X") {
>> (7)     if (%{client:group} == "8021X")  -> FALSE
>> ...
>> ====
>> And I am more than sure that `group` attribute is defined for this client.
>    That may be so.  But the syntax is wrong.  See "man unlang".
>
>> Additionally, you can not check for attribute existence:
>> /usr/local/etc/raddb/radiusd.conf[250]: Parse error in condition
>> /usr/local/etc/raddb/radiusd.conf[250]: (%{client:group}) {
>> /usr/local/etc/raddb/radiusd.conf[250]:  ^ Expected a module return code
>>
>> Is this expected? I am playing with 3.0.10.
>    Yes, it's expected.  It's documented.
>
>    String expansions are done by using double quotes around the string to be expanded.  All of the documentation and examples do this.
>
>    I'll add another check and a WARNING message to catch this case, and explain what's wrong about it.
>
>    You MUST use quotes:
>
> 	 if ("%{client:group}" == "8021X") {
>
>    Alan DeKok
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html

-- 
Boris Lytochkin
Yandex NOC
+7 (495) 739 70 00 ext. 7671

More information about the Freeradius-Devel mailing list