How do I get every userid passed to an rlm_python module

Alan DeKok aland at
Wed Feb 10 16:13:59 CET 2016

On Feb 10, 2016, at 10:04 AM, Jim Whitescarver <jimscarver at> wrote:
> There is no password checking ever.  The password field will be used for a
> device name for out-of band device and biometric authentication done from
> python.

  From the point of view of the protocols involved, your module gets passed a User-Name and User-Password, and the module returns success/fail.

> I've tried using
> authorize {
>        python
>        update control {
>                Auth-Type := example
>        }
> }
> and
> authenticate {authenticate {

  I'm presuming that's a typo.

>        Auth-Type example {
>                python
>        }
> }
> but I cannot get past authorize.  I want authorize to always succeed!

  It will if you use the above configuration.  There's no magic.  Setting Auth-Type in "authorize" means that the give Auth-Type will be used in "authenticate".

> In I have tried
>  return (radiusd.RLM_MODULE_UPDATED, (), (('Auth-Type', 'Accept'),))
>  return (radiusd.RLM_MODULE_UPDATED, (), (('Auth-Type', 'example'),))

  Those won't work.  You've got to update one of the attribute lists.

>  return radiusd.RLM_MODULE_OK
> plus a few variation of
>  reply = ( ('Reply-Message', 'Hello from rlm_python'), )
>  config = ( ('Auth-Type', 'python'), )
>  return (radiusd.RLM_MODULE_OK, reply, config)

  That won't work either.

  The module configuration is available in the "config" variable.  You can write to it, but the writes will be discarded.

  From a quick look at the code, you can only set the "reply" tuple.  So what you want can't be done with python.

  Just write some "unlang" to check for the conditions in "authorize", and set "Auth-Type := python".  Your python script can run, and just return RLM_MODULE_OK, or RLM_MODULE_FAIL.

  Alan DeKok.

More information about the Freeradius-Users mailing list