external auth script

Janis Heller janis.heller at outlook.de
Fri Jul 22 08:45:56 CEST 2016


I’ve done some research nearly the whole night.
>From my point of view I only need the authorize{} part. Here’s my entry in the default config file:

authorize {
	    update control { 
	        Auth-Type := exec
	    }
}

authenticate {
	exec
}

As soon as I delete the entry from „authenticate“ I get an error saying:

/etc/freeradius/sites-enabled/default[58]: Unknown or invalid value "exec" for attribute Auth-Type
/etc/freeradius/sites-enabled/default[56]: Errors parsing authorize section.

Here’s my PHP script:

<?php
if ($argv[1] == 'testing' && $argv[2] == 'password') 
{
	exit (0);
}
else
	exit(2);
?>

Why did I need to fill exec into the authenticate section too? I just want to use radius to send the username & password to my script and whole checking process is made by the script.

After I read about „rlm_rest“ building a small web API for validation would be the best idea I think, are there some examples how I include the „rlm_rest“ for authorize section?  As I already said, I only need radius to perform checks in the authorize section, other sections (authorization & accounting) can be empty, from my point of view?!

Regards;

janis

> Am 22.07.2016 um 00:27 schrieb Pshem Kowalczyk <pshem.k at gmail.com>:
> 
> Hi,
> 
> If you really have to use PHP for auth I suggest you run it through a web
> server in a FPM mode and then use rlm_rest to actually query your script.
> Might require slightly more work but will definitely scale much better then
> exec.
> 
> kind regards
> Pshem
> 
> 
> On Fri, 22 Jul 2016 at 10:15 Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> 
>> On Thu, Jul 21, 2016 at 09:25:44PM +0000, Janis Heller wrote:
>>> authorize {
>>>      exec
>>> }
>> 
>> Yes
>> 
>>> #  Authentication.
>>> authenticate {
>>>      exec
>>> }
>> 
>> No
>> 
>> 
>>> <?php
>>> if ($argv[1] == 'testing' && $argv[2] == 'password')
>>> {
>>>      echo "Accept";
>> 
>> That's not what I wrote.
>> 
>> "Auth-Type := Accept"
>> 
>>>      return (0);
>>> }
>>> else
>>>      echo "REJECT";
>> 
>> Similarly,
>> 
>> "Auth-Type := Reject"
>> 
>>> It seems like the returned value of my PHP script is incorrect?
>> 
>> Yes.
>> 
>> You need "output_pairs = config" in your exec config as well, as I
>> previously wrote.
>> 
>> The script output is taken as an attribute list, in the same way
>> as you'd put in the users file, or feed to radclient, or is output
>> from the detail writer. It tells FreeRADUS what attributes to
>> create, with which values.
>> 
>> 
>> On Thu, Jul 21, 2016 at 09:40:06PM +0000, Janis Heller wrote:
>>> Please I would like to use exec.
>> 
>> Arran is right. Please don't complain here if you get it working,
>> and then find that it stops after a short while because it can't
>> cope with the workload.
>> 
>> exec for auth is a really bad idea.
>> 
>> But he was probably being a bit too kind about PHP.
>> 
>> Matthew
>> 
>> 
>> --
>> Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
>> 
>> Systems Specialist, Infrastructure Services,
>> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>> 
>> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list