external auth script
Stefan Paetow
Stefan.Paetow at jisc.ac.uk
Fri Jul 22 10:19:23 CEST 2016
Because in the authorize section you set the Auth-Type to 'exec'.
So FreeRADIUS expects to see an 'exec' authenticate item.
Stefan Paetow
Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT
No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.
On 22/07/2016, 07:45, "Freeradius-Users on behalf of Janis Heller"
<freeradius-users-bounces+stefan.paetow=jisc.ac.uk at lists.freeradius.org on
behalf of janis.heller at outlook.de> wrote:
>I’ve done some research nearly the whole night.
>From my point of view I only need the authorize{} part. Here’s my entry
>in the default config file:
>
>authorize {
> update control {
> Auth-Type := exec
> }
>}
>
>authenticate {
> exec
>}
>
>As soon as I delete the entry from „authenticate“ I get an error saying:
>
>/etc/freeradius/sites-enabled/default[58]: Unknown or invalid value
>"exec" for attribute Auth-Type
>/etc/freeradius/sites-enabled/default[56]: Errors parsing authorize
>section.
>
>Here’s my PHP script:
>
><?php
>if ($argv[1] == 'testing' && $argv[2] == 'password')
>{
> exit (0);
>}
>else
> exit(2);
>?>
>
>Why did I need to fill exec into the authenticate section too? I just
>want to use radius to send the username & password to my script and whole
>checking process is made by the script.
>
>After I read about „rlm_rest“ building a small web API for validation
>would be the best idea I think, are there some examples how I include the
>„rlm_rest“ for authorize section? As I already said, I only need radius
>to perform checks in the authorize section, other sections (authorization
>& accounting) can be empty, from my point of view?!
>
>Regards;
>
>janis
>
>> Am 22.07.2016 um 00:27 schrieb Pshem Kowalczyk <pshem.k at gmail.com>:
>>
>> Hi,
>>
>> If you really have to use PHP for auth I suggest you run it through a
>>web
>> server in a FPM mode and then use rlm_rest to actually query your
>>script.
>> Might require slightly more work but will definitely scale much better
>>then
>> exec.
>>
>> kind regards
>> Pshem
>>
>>
>> On Fri, 22 Jul 2016 at 10:15 Matthew Newton <mcn4 at leicester.ac.uk>
>>wrote:
>>
>>> On Thu, Jul 21, 2016 at 09:25:44PM +0000, Janis Heller wrote:
>>>> authorize {
>>>> exec
>>>> }
>>>
>>> Yes
>>>
>>>> # Authentication.
>>>> authenticate {
>>>> exec
>>>> }
>>>
>>> No
>>>
>>>
>>>> <?php
>>>> if ($argv[1] == 'testing' && $argv[2] == 'password')
>>>> {
>>>> echo "Accept";
>>>
>>> That's not what I wrote.
>>>
>>> "Auth-Type := Accept"
>>>
>>>> return (0);
>>>> }
>>>> else
>>>> echo "REJECT";
>>>
>>> Similarly,
>>>
>>> "Auth-Type := Reject"
>>>
>>>> It seems like the returned value of my PHP script is incorrect?
>>>
>>> Yes.
>>>
>>> You need "output_pairs = config" in your exec config as well, as I
>>> previously wrote.
>>>
>>> The script output is taken as an attribute list, in the same way
>>> as you'd put in the users file, or feed to radclient, or is output
>>> from the detail writer. It tells FreeRADUS what attributes to
>>> create, with which values.
>>>
>>>
>>> On Thu, Jul 21, 2016 at 09:40:06PM +0000, Janis Heller wrote:
>>>> Please I would like to use exec.
>>>
>>> Arran is right. Please don't complain here if you get it working,
>>> and then find that it stops after a short while because it can't
>>> cope with the workload.
>>>
>>> exec for auth is a really bad idea.
>>>
>>> But he was probably being a bit too kind about PHP.
>>>
>>> Matthew
>>>
>>>
>>> --
>>> Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
>>>
>>> Systems Specialist, Infrastructure Services,
>>> I.T. Services, University of Leicester, Leicester LE1 7RH, United
>>>Kingdom
>>>
>>> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See
>>http://www.freeradius.org/list/users.html
>
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list