Conditional only returns False
Bruno de Paula Larini
bruno.larini at riosoft.com.br
Wed Jul 16 20:44:42 CEST 2014
Hi, I'm trying to do an additional check for users contained on an
Active Directory domain using information stored in a MySQL database.
I'm using PEAP to check the users' credentials in the domain and that is
working fine. The FreeRADIUS version is 2.1.12 on a CentOS 6.
But when I add the following code after ntdomain in the file
raddb/sites-enabled/inner-tunnel (I need the Stripped-User-Name), the
check returns False even though the script output apparently matches the
conditional.
ntdomain
if ("%{exec:/etc/raddb/scripts/user_check.py %{Stripped-User-Name}}" ==
"Accept") {
update control {
Auth-Type := "Accept"
}
}
else {
update control {
Auth-Type := "Reject"
}
}
Running the script manually with one argument shows the expected output.
This is the output of radiusd -X
...
[ntdomain] Looking up realm "NTDOMAIN" for User-Name =
"NTDOMAIN\daniel.carrington"
[ntdomain] Found realm "NTDOMAIN"
[ntdomain] Adding Stripped-User-Name = "daniel.carrington"
[ntdomain] Adding Realm = "NTDOMAIN"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++? if ("%{exec:/etc/raddb/scripts/user_check.py %{Stripped-User-Name}}"
== "Accept")
Executing /etc/raddb/scripts/user_check.py %{Stripped-User-Name}
expand: %{Stripped-User-Name} -> daniel.carrington
Exec-Program output: Accept
Exec-Program-Wait: plaintext: Accept
Exec-Program: returned: 0
result 0
expand: %{exec:/etc/raddb/scripts/user_check.py
%{Stripped-User-Name}} -> Accept
? Evaluating ("%{exec:/etc/raddb/scripts/user_check.py
%{Stripped-User-Name}}" == "Accept") -> FALSE
++? if ("%{exec:/etc/raddb/scripts/user_check.py %{Stripped-User-Name}}"
== "Accept") -> FALSE
++- entering else else {...}
+++[control] returns ok
++- else else returns ok
++[control] returns ok
[eap] EAP packet type response id 7 length 25
[eap] No EAP Start, assuming it's an on-going EAP conversation
[eap] WARNING: Auth-Type already set. Not setting to EAP
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE
...
And this is the content of raddb/modules/exec:
exec {
wait = yes
input_pairs = request
shell_escape = yes
output = none
}
Is there something wrong with this setup?
Thanks in advance!
More information about the Freeradius-Users
mailing list