external auth script
Janis Heller
janis.heller at outlook.de
Fri Jul 22 18:36:13 CEST 2016
It seems like this will run soon, I can feel it.
I use this rest module code right now:
rest check_access_rest {
connect_timeout = 4.0
connect_uri = "http://IP"
authorize {
uri = "${..connect_uri}/demo?username=%{User-Name}"
method = 'get'
}
authenticate {
}
accounting {
}
post-auth {
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
lifetime = 0
idle_timeout = 60
}
}
Debug shows this output:
(0) check_access_rest: EXPAND http://IP
(0) check_access_rest: --> http://IP
(0) check_access_rest: EXPAND /demo?username=%{User-Name}
(0) check_access_rest: --> /demo?username=testing
(0) check_access_rest: Sending HTTP GET to "http://IP/demo?username=testing"
(0) check_access_rest: Processing response header
(0) check_access_rest: Status : 200 (OK)
(0) check_access_rest: Type : json (application/json)
(0) check_access_rest: Parsing attribute "Auth-Type"
(0) check_access_rest: EXPAND Accept
(0) check_access_rest: --> Accept
(0) check_access_rest: Auth-Type := Accept
rlm_rest (check_access_rest): Released connection (0)
rlm_rest (check_access_rest): Need 5 more connections to reach 10 spares
rlm_rest (check_access_rest): Opening additional connection (5), 1 of 27 pending slots used
rlm_rest (check_access_rest): Connecting to "http://IP"
(0) [check_access_rest] = updated
(0) } # authorize = updated
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
I only would like to use the authorize function, as far as I understand debug this process is done correctly.
But it seems like the authenticate process fails. In my default config I’ve placed this
authorize {
check_access_rest
}
authenticate {
}
How to disable authenticate module so it will not try to start the rest module? It seems to start the module (you can see this in the debug ouput, it only used the IP address, not the „full path“).
Regards;
janis
> Am 22.07.2016 um 16:00 schrieb Matthew Newton <mcn4 at leicester.ac.uk>:
>
> On Fri, Jul 22, 2016 at 03:27:18PM +0200, Herwin Weststrate wrote:
>> On 22-07-16 15:16, Matthew Newton wrote:
>>> Or install the freeradius-rest package if installed from packages.
>>
>> If that is the case, I would consider it a bug that some package other
>> than freeradius-rest installs mods-available/rest.
>
> Possibly. You can probably argue it two ways.
>
> All the config is in freeradius-config. And that is optional IIRC.
> So you can install all the binary packages, and run with your own
> config, without installing the default config.
>
> If module-specific config was in module packages then you could
> install everything except the -config package, and end up with
> just little bits of config on your system, which is rather messy.
> Especially if you've put your own config in the standard location,
> and installing a module package would then modify your live
> config.
>
> Not sure which is the best way - both seem to have arguments for
> and against. I think personally I slightly lean towards the
> current way, but not entirely sure.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list