rlm_exec and 'No such file or directory' error
mark.leese at stfc.ac.uk
mark.leese at stfc.ac.uk
Wed Nov 17 19:29:01 CET 2010
Hi,
I'm using FreeRADIUS 2.1.3.
At the end of the authorize section I need to call a Perl script to do some LDAP checking and either set the Auth-Type to Reject (to forcibly reject a user) or leave it set to whatever value FreeRADIUS has previously set (always LDAP).
I used to do this with rlm_perl but it looks like backslashes in the plaintext User-Password attribute causes things to break, and I need a quick fix while I look at what to do about the rlm_perl problem.
I have the exec module enabled in the instantiate section of radiusd.conf and I have the following at the end of the authorize section in the sites-enabled/default file:
if (control:Auth-Type == LDAP) {
update control {
Auth-Type = `%{exec:/etc/raddb/facilityUsers.pl %{control:Ldap-UserDn} %{control:Auth-Type}}`
}
}
When I run the basic test with debug (-X) turned on I see the following trace:
[snip]
radiusd: #### Instantiating modules ####
Wed Nov 17 17:36:20 2010 : Debug: instantiate {
Wed Nov 17 17:36:20 2010 : Debug: (Loaded rlm_exec, checking if it's valid)
Wed Nov 17 17:36:20 2010 : Debug: Module: Linked to module rlm_exec
Wed Nov 17 17:36:20 2010 : Debug: Module: Instantiating exec
Wed Nov 17 17:36:20 2010 : Debug: exec {
Wed Nov 17 17:36:20 2010 : Debug: wait = yes
Wed Nov 17 17:36:20 2010 : Debug: input_pairs = "request"
Wed Nov 17 17:36:20 2010 : Debug: shell_escape = no
Wed Nov 17 17:36:20 2010 : Debug: }
[snip]
Wed Nov 17 17:49:21 2010 : Info: ++? if (control:Auth-Type == LDAP)
Wed Nov 17 17:49:21 2010 : Info: ? Evaluating (control:Auth-Type == LDAP) -> TRUE
Wed Nov 17 17:49:21 2010 : Info: ++? if (control:Auth-Type == LDAP) -> TRUE
Wed Nov 17 17:49:21 2010 : Info: ++- entering if (control:Auth-Type == LDAP) {...}
Wed Nov 17 17:49:21 2010 : Info: Executing /etc/raddb/facilityUsers.pl %{control:Ldap-UserDn} %{control:Auth-Type}
Wed Nov 17 17:49:21 2010 : Info: expand: %{control:Ldap-UserDn} -> CN=bill,OU=Facility Users,DC=foo,DC=ac,DC=uk
Wed Nov 17 17:49:21 2010 : Info: expand: %{control:Auth-Type} -> LDAP
Wed Nov 17 17:49:21 2010 : Debug: Exec-Program output: LDAP
Wed Nov 17 17:49:21 2010 : Debug: Exec-Program-Wait: plaintext: LDAP
Wed Nov 17 17:49:21 2010 : Debug: Exec-Program: returned: 0
Wed Nov 17 17:49:21 2010 : Info: result 0
Wed Nov 17 17:49:21 2010 : Info: expand: %{exec:/etc/raddb/facilityUsers.pl %{control:Ldap-UserDn} %{control:Auth-Type}} -> LDAP
Wed Nov 17 17:49:21 2010 : Debug: Exec-Program output: Wed Nov 17 17:49:21 2010 : Error: Exec-Program: FAILED to execute LDAP: No such file or directory
Wed Nov 17 17:49:21 2010 : Debug: Exec-Program-Wait: plaintext: Wed Nov 17 17:49:21 2010 : Error: Exec-Program: FAILED to execute LDAP: No such file or directory
Wed Nov 17 17:49:21 2010 : Debug: Exec-Program: returned: 1
Wed Nov 17 17:49:21 2010 : Info: +++[control] returns invalid
Wed Nov 17 17:49:21 2010 : Info: ++- if (control:Auth-Type == LDAP) returns invalid
Wed Nov 17 17:49:21 2010 : Auth: Invalid user: [bill] (from client localNas port 52340 cli AB-CD-EF-00-00-00)
In this case the call to the Perl script (facilityUsers.pl) returns LDAP, but it looks like rlm_exec then tries to execute this result as a command, which fails and then the whole Access-Request message is rejected.
I'm clearly doing something wrong, but I can't see what. Can anyone offer any suggestions?
Thanks in advance,
Mark.
--
Scanned by iCritical.
More information about the Freeradius-Users
mailing list