Exec-Program-Wait not working
Alan DeKok
aland at deployingradius.com
Wed Jun 19 21:34:13 CEST 2019
On Jun 19, 2019, at 2:18 PM, Gianni Costanzi <gianni.costanzi at gmail.com> wrote:
> Hi Alan, the user is accepted by realm Imp proxy, then I force an analysis
> of users file even if the realm authentication succeeds, because there can
> be a user that is authenticated by the realm but must not be accepted by
> radius (you must be accepted by realm imp and be defined in the users file
> in order to have an access accept).
Why not just check the "users" file *before* proxying?
authorize {
...
files
if (notfound) {
reject
}
...
}
It's *always* better to reject as soon as possible, instead of accepting the user, and then going "whoops, they were supposed to be rejected!"
If the "users" file isn't well-suited for this, you can use any number of other modules to load users from databases or text files.
> So if realm authentication returns access Accept and I don’t put a default
> access reject for users with realm imp, every user authenticated by realm
> imp would be accepted by radius even without being defined in users file.
See above.
Again, describing the problem *correctly* will let us help you. Giving wrong or incomplete information is a waste of everyones time.
Right now, you're giving out information in bits and pieces. Stop it.
> When I put the exec-program-wait with := as you suggested the user entry is
> matched but the program is not executed at all, otherwise I would get an
> entry in /var/log/messages.
You'd also get a message in the debug output. Which we recommend reading.
> I gave a look at the echo example but I don’t understand how I should use
> it in the way I was using exec-program-wait in release 2.0
You don't. You can create a module. You can control when modules are called through if / then / else conditions.
You're stuck on implementing a *particular* solution. Which means you're ignoring alternative solutions.
> (where it worked
> even if not placed on the first line as a check condition and was invoked
> correctly).
You've said that already. We understand.
> I need to invoke that program only for some specific users and
> after having received an access accept by realm imp. Then I can return
> access accept to the device that authenticated the user.
See above:
a) reject users BEFORE proxying
b) then run the program for ALL users on Access-Accept
> Hope I have clarified a bit our configuration.
I sincerely hope that this is the last clarification.
Alan DeKok.
More information about the Freeradius-Users
mailing list