Using the authenticate function on rlm_python

Francis Augusto Medeiros-Logeay r_f at med-lo.eu
Fri Nov 15 20:12:41 UTC 2024 


> On 15 Nov 2024, at 14:42, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Nov 15, 2024, at 8:17 AM, Francis Augusto Medeiros-Logeay <r_f at med-lo.eu> wrote:
>> Before reading your message, I tried with threads, and it seemed better to handle my specific situation, but I don’t want to do anything that’s non-kosher here. I just thought it was ok to use threads here due the reference to threading.local() on the documentation.
> 
>  You can use threads in python, but they won't help.  The server has it's own thread pool.  Each request is processed through one thread at a time, until it finishes.  This means that if the Python module calls a blocking API, then it blocks that thread.
> 
>  Adding more Python pthreads won't help, because the main *FreeRADIUS* thread is blocked.

I see. Thanks for that.

>> That’s the thing: I have the default configuration, which is five servers. But even a second connection doesn’t execute concurrently. If the first hangs, the second still waits. Is there any configuration for the python module to make it more compliant to this?
> 
>  If you're using the python3 module, it will create one Python interpreter, but will create sub-interpreters for each FreeRADIUS thread.  I suspect the issue may be either that the Python API you're using has a global lock, or else you're running into the main Python lock.

It could be, but when I tested concurrency, all I did was a 


print («Will block now»)
While True:
   time.sleep(5)
   print («waiting»)

Just to check if another request would print «Will block now», which it never did. The only way I got that to happen was to fork into another thread before the print.


>  So... this is really a Python problem.
> 
>  TBH, unless the *only* way to interact with that API is through a Python library, you're better off just using the basic server features.  We've done many, many, installations, and the only time we need Perl / Python is when we have to use an external API, and the only tools available are Perl / Python.

Maybe this isn’t the only way - it’s just the easiest way for me to do it as I’m not so familiar with other approaches. I need basically to:

- send a request to the RestAPI to ask if the user will have a push notification or if he’ll use TOTP - That info comes on a json
- if it’s totp, send an access-challenge and then process the password sent back
- if it’s push, send an api call to the server, poll it to know if the user has replied, and then send a final call to check what was the result of the user’s action.

The third step is blocking, as you see. Do you suggest any other tool/scripting to deal with this?

> 
>> What I am trying here is to emulate a bit the behaviour of the NPS radius, which handles push notifications. Those are blocking, so I don’t want to return `OK` before the user has approved the authentication on his mobile.
> 
>  Exactly.  Blocking is the only way to implement this in v3.

I’ll see if I find out what could be blocking my threads. 

Best,
Francis

More information about the Freeradius-Users mailing list