post-auth bash script

[Alan DeKok]

Jean Carlos Coelho wrote:
> 	My bash script returns (echo) the values 8 for ³valid dates" and 1
> (reject) for ³out range dates", right? But the control are always ³ok² and
> even if I change the ³if² statement to any other value.. Than 8 or 1 are
> always "OK"
> 
> Mon Jan 13 10:53:48 2014 : Debug: Exec-Program output: 8
> Mon Jan 13 10:53:48 2014 : Debug: Exec-Program-Wait: plaintext: 8
> Mon Jan 13 10:53:48 2014 : Debug: Exec-Program: returned: 0

  Your config says:

  update control {
      Auth-Type == "%{exec:/etc/freeradius/externals/check_date.sh
'%{User-Name}'}"
      Fall-Through = No
    }

 Don't do that.  You've got that completely wrong:

- setting Auth-Type is almost always wrong.  Don't do it.

- you use "==" instead of "=" or ":=" in an "update" section.
  This is wrong.  See "man unlang"

- you use "Fall-Through" in an "update" section.  This is completely
  useless.  Fall-Through is only for the "users" file and the SQL
  radreply tables.


  Your configuration is completely wrong.  Most of it should be deleted,
and replace with a working one.

> What I am trying to do is:
>
>Check user passowrd and group in LDAP

  You can do this in the default configuration with LDAP.

> Verify the expire date at LDAP

  You can write an LDAP query to do this.

> Reject or allow the user based with this result.

  You need do this in addition to checking their password in ldap.

  Something like this may work:

authorize {
	...
	ldap
	if (ok) {
		if ("%{ldap: ...}" == ...) {
			reject
		}

	}
	...
}

  Write an LDAP query that will return OK / fail for the date check.
Put it into the "if" statement above.

  Alan DeKok.