Modifying User-Name and User-Password attributes in a module
Stefan Winter
stefan.winter at restena.lu
Fri Apr 11 09:41:09 CEST 2008
Hi!
> Thanks, You're right, unlang is a powerful tool. I just finished reading
> it's man page. it has very interesting features. (accessing run-time
The suggested way of working with this software is
1. read the man page and other documentation
2. ask the mailing list
3. modify source code
Your complete inversion of this order didn't seem to work well.
> variables is wonderful). Your assumptions on my scenario is almost true
> and I do believe that your suggestion (regex in unlang) can completely
> remove any need for using a module in order to modify a request.
> However, In this specific scenario, I need much more further processing
> which should be done before I can decide to send a REJECT or ACCEPT. For
> example, I have to send extracted OTP to a remote authentication manager
> which it's answer would determine final authentication result.
> In more detail it should be something like: open a socket, create a
> specific request packet, send it, wait for answer, parse the answer
> packet, and do further processing based on received answer from 2FA server.
> Also, if we consider multi threading operation, there might be more
> issues that need to be taken care of.
> Nevertheless, I believe even using a powerful tool like unlang cannot
> eliminate the need for an extra module. However, having a significant
> part of the whole job done by unlang this might only need a small python
> or perl module.
Yes. rlm_perl can be used to safely embed perl into pakcet processing, and it
should even be thread-safe, if perl is compiled accordingly.
In your scenario, I guess you would want to use the mangling we talked about
to send the request to the remote RADIUS proxy, and then when its answer
comes back do your out-of-band perl post-processing. The place for this is in
the post-auth { } section. Yes, in post-auth you can turn a Access-Accept
from a remote reply into a reject. Make your rlm_perl module return failure
as return code and you're done.
> Well, even if I just need to use a "update" in configuration files to do
> the job, I need to do it in right the place, I mean request, reply,
> proxy or proxy_reply. candidates for this one (password modification)
> are "request" and "proxy". I wonder if doing it in "proxy" can confuse
> freeradius for doing further process on it.
I'm not sure. All I can say is that I do all my mangling during authorize { },
and it works. pre-proxy might as well, you just have to try it.
> Again. Thanks for your great and helpful suggestions.
Sometimes I'm tempted to kick my butt because I give free consultancy. I
accept Ferraris as gratuity gifts, you know? ;-)
Stefan
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080411/b7c4e310/attachment.pgp>
More information about the Freeradius-Users
mailing list