rlm_exec and 'No such file or directory' error

mark.leese at stfc.ac.uk mark.leese at stfc.ac.uk
Wed Nov 17 19:29:01 CET 2010


Hi,

I'm using FreeRADIUS 2.1.3.

At the end of the authorize section I need to call a Perl script to do some LDAP checking and either set the Auth-Type to Reject (to forcibly reject a user) or leave it set to whatever value FreeRADIUS has previously set (always LDAP).

I used to do this with rlm_perl but it looks like backslashes in the plaintext User-Password attribute causes things to break, and I need a quick fix while I look at what to do about the rlm_perl problem.

I have the exec module enabled in the instantiate section of radiusd.conf and I have the following at the end of the authorize section in the sites-enabled/default file:

    if (control:Auth-Type == LDAP) {
      update control {
        Auth-Type = `%{exec:/etc/raddb/facilityUsers.pl %{control:Ldap-UserDn} %{control:Auth-Type}}`
      }
    }


When I run the basic test with debug (-X) turned on I see the following trace:

    [snip]
    radiusd: #### Instantiating modules ####
    Wed Nov 17 17:36:20 2010 : Debug:  instantiate {
    Wed Nov 17 17:36:20 2010 : Debug:     (Loaded rlm_exec, checking if it's valid)
    Wed Nov 17 17:36:20 2010 : Debug:  Module: Linked to module rlm_exec
    Wed Nov 17 17:36:20 2010 : Debug:  Module: Instantiating exec
    Wed Nov 17 17:36:20 2010 : Debug:   exec {
    Wed Nov 17 17:36:20 2010 : Debug:       wait = yes
    Wed Nov 17 17:36:20 2010 : Debug:       input_pairs = "request"
    Wed Nov 17 17:36:20 2010 : Debug:       shell_escape = no
    Wed Nov 17 17:36:20 2010 : Debug:   }

    [snip]
    Wed Nov 17 17:49:21 2010 : Info: ++? if (control:Auth-Type == LDAP)
    Wed Nov 17 17:49:21 2010 : Info: ? Evaluating (control:Auth-Type == LDAP) -> TRUE
    Wed Nov 17 17:49:21 2010 : Info: ++? if (control:Auth-Type == LDAP) -> TRUE
    Wed Nov 17 17:49:21 2010 : Info: ++- entering if (control:Auth-Type == LDAP) {...}
    Wed Nov 17 17:49:21 2010 : Info: Executing /etc/raddb/facilityUsers.pl %{control:Ldap-UserDn} %{control:Auth-Type}
    Wed Nov 17 17:49:21 2010 : Info:        expand: %{control:Ldap-UserDn} -> CN=bill,OU=Facility Users,DC=foo,DC=ac,DC=uk
    Wed Nov 17 17:49:21 2010 : Info:        expand: %{control:Auth-Type} -> LDAP
    Wed Nov 17 17:49:21 2010 : Debug: Exec-Program output: LDAP
    Wed Nov 17 17:49:21 2010 : Debug: Exec-Program-Wait: plaintext: LDAP
    Wed Nov 17 17:49:21 2010 : Debug: Exec-Program: returned: 0
    Wed Nov 17 17:49:21 2010 : Info: result 0
    Wed Nov 17 17:49:21 2010 : Info:        expand: %{exec:/etc/raddb/facilityUsers.pl %{control:Ldap-UserDn} %{control:Auth-Type}} -> LDAP
    Wed Nov 17 17:49:21 2010 : Debug: Exec-Program output: Wed Nov 17 17:49:21 2010 : Error: Exec-Program: FAILED to execute LDAP: No such file or directory
    Wed Nov 17 17:49:21 2010 : Debug: Exec-Program-Wait: plaintext: Wed Nov 17 17:49:21 2010 : Error: Exec-Program: FAILED to execute LDAP: No such file or directory
    Wed Nov 17 17:49:21 2010 : Debug: Exec-Program: returned: 1
    Wed Nov 17 17:49:21 2010 : Info: +++[control] returns invalid
    Wed Nov 17 17:49:21 2010 : Info: ++- if (control:Auth-Type == LDAP) returns invalid
    Wed Nov 17 17:49:21 2010 : Auth: Invalid user: [bill] (from client localNas port 52340 cli AB-CD-EF-00-00-00)


In this case the call to the Perl script (facilityUsers.pl) returns LDAP, but it looks like rlm_exec then tries to execute this result as a command, which fails and then the whole Access-Request message is rejected.

I'm clearly doing something wrong, but I can't see what. Can anyone offer any suggestions?

Thanks in advance,

Mark.

-- 
Scanned by iCritical.




More information about the Freeradius-Users mailing list