[rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time

[Charles Gregory]

On Mon, 15 Jun 2009, Arran Cudbard-Bell wrote:
> See the thing is a lot of the documentation pitfalls aren't there in 2.*, a 
> lot of the inconsistencys aren't there in 2.*. I know, because I regularly 
> play the dumb user and pester Alan about niggly bits of syntax and 
> documentation.

I try to be a fair person. And I knew that one argument used against me 
would be that the docs had improved since version 1.x, but when I had a 
look I found that this 'basic' element remained essentially unchanged.
Indeed the one change I spotted was that the references to 'exec-program'
had disappeared! But there was nothing more about 'exec' modules. And when 
I checked the documentation for the latest release, neither the users file 
itself nor the documentation for it mentions 'exec'. So I would still
have found no help there.... And the docs for freeradisud.conf remained 
the same.....

Think of it this way. In the French language, when someone turns a light 
on they say "make the light OPEN". They *mean* the same thing, but they 
use a different word. But if you don't *know* that, you can spend a lot of 
time trying to figure out why someone wants to 'open' something that you 
just want to turn 'on'.

Thus it was with my understanding of config files in FreeRADIUS. I came 
from a background where config files only contained constants. Nothing 
dynamic. I had come so far as to realize that we could 'specify' modules 
in the main config file, but presumed that sub files remained lists of 
constant specifications. There was no mention of executable code in the 
users file comments, so I presumed that was just the 'wrong place'.

My bad? Well, yes, BUT I would expect that any expert on RADIUS would have 
long ago encountered this kind of thinking and recognize it for what it 
is. And if they really wanted to help, they'd be sure to say a few 'basic' 
things like "what you are looking for is in the README, not the 
individual files". That was all I was asking for, but instead I get this 
attitude like I failed to take advice.... (sigh)

> I've been following this thread (mostly for its Jerry Springer'esq 
> qualities) and I saw where you stumbled. The documentation in v1 is far 
> from perfect, but if you'd actually read around a bit more then you'd 
> have figured out exactly what was going on.

Actually, I *did* exactly that. My only complaint was that I had to hunt 
at random through files I never imagined containing what I wanted. If 
someone had grasped that I was 'not getting it' they could have just 
pointed me where I needed to go. Not saying they were obliged to do so, 
but I am saying they shouldn't treat their failure to do so with the 
attitude that they did 'enough' to help.

> The *only* place in 1.* where the syntax used in the rlm_exec example 
> exists is in the users file.

Actually, to the uninitated, that is NOT true. Within the module 
definitions in the radiusd.conf there are numerous 'assignements' of 
values to 'variables' that look remarkably similar to attribute 
assignments. Only once it has been *explained* would I realize that there 
is something special about the users file 'assignments'. And again, I 
point out that the syntax of assigning an executable to an attribute is 
*not* given as an example in the users file. If only it had been, then I 
would have figured it all out without this mess.

But then again, I would also have been using an older technique.

> But you're not a user, you're a sysadmin/developer. It's assumed that 
> you'll have a modicum of initiative.

Certainly. I *did* find my answer on my own. (smile)

This is the stumbling point. I thought I had looked in all the obvious and 
relevant documents. And enough of them were lacking in detail that I don't 
think anyone can fairly say I didn't bother to look for my answer before I 
posted my question. And that's why I get angry when people just say I was 
offered lots of options. No, not really. They were only options for 
someone who (and I know this happens) posts a question without having read 
*any* of the documentation. I had hoped my included syntax sample would 
have desmontrated that I had made progress. :) But really, if no one 
grasped that I was lacking that key concept, then how would they know to 
tell me where to look for what I wanted? So who is to blame there?

> I don't always agree with Alans way of dealing with users on the list, 
> but I understand why he's the way he is.

I understand it too. I just figur if he wants to be helpful, then he could 
try to understand how he wasn't. Yes, it is mostly *my* shortcoming, but 
when someone like me doesn't *know* he has a shortcoming, just saying 
'read the docs' or 'upgrade to 2.x' does not fix this error. I hope my 
comments lend themselves to increased awareness of ignorance and better 
handling of it.

>>  In all honesty, I don't even know what 'EAP' is.
> Extensible Authentication Protocol, it's the Authentication protocol used in 
> 802.1X (WPA-Enterprise etc...).

Silly me. I had actually read that. Sorry. I tend to forget things that I 
think I won't be likely to use. :)

> If you genuinely want to help other FreeRADIUS v1 users, then you can 
> contact me, or any other wiki admins for an account.

Hmmmm. My first gut reaction is that I "don't know enough", but before
I dismiss this idea, I have to ask what you have in mind.

- Charles