Problem writing config attributes from script

[Yannick Deltroo]

Alan, thanks for your help.

I've read the rlm_exec documentation in the configuration file before
posting on the list.

As you can see, I actually run two scripts in the authorization section.
The first script to run is "authorize_prepaid_account", which is
correctly set to output to config, as per the documentation. Then, I
run a second script called "dump", just to write environment variables
to a file (to see what's going on). "dump" does not output any pairs,
so whether it's set to write to reply or config should not have an
impact.

When I play around with what the "authorize_prepaid_account" script is
doing, I can reproduce this strange behavior:
1- If "authorize_prepaid_account" only outputs Password = XXXXX, then
everything works fine. I can authorize/authenticate. My dump file
shows that Password = XXXX was correctly written to config attributes.

2- If I modify "authorize_prepaid_account" to output two pairs instead
of just Password =, i.e. somehting like
	Post-Auth-Type = THIRD_SCRIPT
	Password = XXXXX
I cannot authenticate. Chap authentication fails (see debug log below)
My dump file shows that the output of "authorize_prepaid_account" was
not taken into account. (No Post-Auth-Type, No password written to
config => chap fails)

The server is running with the exact same configuration in case 1 and case 2.
I'm just commenting out lines in my script manually.

Am I missing something about the correct format for a script output ?
I guess, it's one pair per line ?
I'm using freeradius 1.0.5

====================================================
radius.log

 exec authorize_prepaid_account {
   wait = yes
   program = "/etc/raddb/scripts/authorize %{User-Name}"
   output_pairs = config
   packet_type = Access-Request
 }

exec dump {
   wait = yes
   program = "/etc/raddb/scripts/dump %{User-Name}"
   input_pairs = config
   output_pairs = reply
   packet_type = Access-Request
 }

authorize {
 preprocess
 auth_log
 chap
 mschap
 authorize_prepaid_account
 files
 sql
 dump
}

=========================================================
Daemon debug output
 exec: wait = yes
 exec: program = "/etc/raddb/scripts/authorize %{User-Name}"
 exec: input_pairs = "request"
 exec: output_pairs = "config"
 exec: packet_type = "Access-Request"
.....
 exec: wait = yes
 exec: program = "/etc/raddb/scripts/dump %{User-Name}"
 exec: input_pairs = "config"
 exec: output_pairs = "reply"
 exec: packet_type = "Access-Request"
......
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
 rlm_chap: login attempt by "prepaid1" with CHAP password
 rlm_chap: Could not find clear text password for user prepaid1
 modcall[authenticate]: module "chap" returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Login incorrect (rlm_chap: Clear text password not available):
[prepaid1/<CHAP-Password>] (from client WRT54G port 0 cli
00-04-23-6C-89-87)
=========================================================

On 12/21/05, Alan DeKok <aland at ox.org> wrote:
> Yannick Deltroo <deltroo at gmail.com> wrote:
> > However these config attributes are not taken into account for
> > processing by other modules.
>
>   Because you're putting the attributes into the reply item list, not
> the config item list.
>
> > Module: Instantiated exec (authorize_prepaid_account)
> > .....
> >  exec: wait = yes
> >  exec: program = "/etc/raddb/scripts/dump %{User-Name}"
> >  exec: input_pairs = "config"
> >  exec: output_pairs = "reply"
>
>   See?  Change "output_pairs" to "config", and it should work.
>
>   The documentation for rlm_exec explains this.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>