custom auth script just for pap

Alan DeKok aland at deployingradius.com
Fri Nov 16 15:40:18 CET 2018


On Nov 16, 2018, at 9:19 AM, Christian Salway via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> I don't want to come across ungrateful. You and the team are doing a fantastic job at looking after freeRadius and no, I'm not expecting documentation on "how to implement Christian Salways configuration" (although that would be awesome if i could put a request in).

  The problem is when you say "there is no documentation saying how to do what I want", that really comes across as "how to implement Christian Salways configuration"

> I know there is an exec module. I used it to add AD Groups to a Reply in the Class field
> 
> post-auth {
> 
> foreach &reply:memberOf {
>  	    update {
>  	        &reply:Class += "%{exec:/etc/raddb/extract-ad-group.sh %{Foreach-Variable-0}}"

  That's not an "exec" module.  That's a dynamic expansion.

> but this exec is inside quotes. what you have  explained sounds like it can go out of quotes which i doubt since exec can also stand on its own.
> 
> authorize {
> if (User-Name) {
>   exec: "/path/to/file '%{User-Name}' '%{User-Password}'" <-- im guessing this is meant to return an exit code that means Accept/Reject

   Nothing in the documentation says that this kind of thing is possible.  The "man unlang" documentation is very clear on the format of the configuration files.  The hundreds of examples show nothing like what you're doing here.

  You can't just *invent* syntax and expect it to work.

> There is no where I could find in the docs or examples that gives this format.

  Because it isn't allowed.  The documentation should be VERY clear on what is allowed.

  This shouldn't be difficult.  When I say "use the exec module", you should already understand what a "module" is, and where it's configured.  The documentation makes this abundantly clear.

  See the "mods-available" directory.  And perhaps unsurprisingly, there's a file called "exec".  Which describes what the "exec" module is, and how to use it.

  This is really a major problem.  If you've read the docs and still aren't clear what a "module" is, or where the module configuration lives, then that's a problem which is difficult for me to solve.

  Alan DeKok.




More information about the Freeradius-Users mailing list