force_check_config - how to use?
William Bulley
web at umich.edu
Wed Jan 19 20:17:12 CET 2011
According to Alan DeKok <aland at deployingradius.com> on Wed, 01/19/11 at 13:57:
>
> I *think* it's something you can add to a module configuration to
> force it to instantiate itself. Normally, when "radiusd -C" is used,
> the SQL module is skipped, because checking the config doesn't mean
> opening 50 sockets to the SQL server. Adding "force_check_config=yes"
> will make modules like SQL instantiate themselves, including opening 50
> sockets to the SQL server.
Thanks. I came across this while trying to debug a gnarly situation with
the mschap module. The configs in modules/mschap include at the end:
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
This was changed by an adminstrator to --username=%{mschap:User-Name:-None}
except that the leading left brace ("{") was omitted... :-(
The output of radiusd -XC concluded that "Configuration appears to be OK."
when in fact mschap authentications could never recover the User-Name when
ntlm_auth was given --username=%mschap:User-Name:-None} to deal with...
My question: is there any way to parse and check the "value" of the
ntlm_auth variable in the modules/mschap file for valid syntax?
Inside cf_item_parse() in src/main/conffile.c there is a PW_TYPE_STRING_PTR
case of the switch statement. In this case there is the following comment:
/*
* Expand variables which haven't already been
* expanded automagically when the configuration
* file was read.
*/
It doesn't seem that this ntlm_auth variable was expanded when the config
file was read.
After this comment is an if statement "if (value == dflt)" which, if true,
results in a call to cf_expand_variables() passing the above ntlm_auth
string value as "value". It appears to me that this if statement will
never be true, since the default value for ntlm_auth is NULL, so any
string value (right hand side of ntlm_auth variable) will not be NULL,
nor will the pointers match. And if they did, what is the purpose of
expanding a variable which is NULL? The net result is that the human
error (see typo above) was not discovered while configuration checking
with -XC which gave a false positive indication. Very confusing...
Regards,
web...
--
William Bulley Email: web at umich.edu
72 characters width template ----------------------------------------->|
More information about the Freeradius-Users
mailing list