Re: [OpenSIPS-Devel] Misplaced radius error problem

Tue, 26 Jan 2010 08:54:07 -0800 

Hello list,

On Tues, Dec 22, 2009, Michael Schloh von Bennewitz wrote:
>In revision 6377 rad.c from aaa_radius got changed for the better,
>but introduced a new bug as well. The block of code in question
>returns LM_ERR when the call to rc_auth(3) returns anything but
>OK_RC. As you see from radiusclient-ng.h, other values exist:
>
>  /*   Define return codes from "SendServer" utility */
>  #define BADRESP_RC   -2
>  #define ERROR_RC     -1
>  #define OK_RC                0
>  #define TIMEOUT_RC   1
>  #define REJECT_RC    2
>
>The only return values leading to failure (and thus validating
>the LM_ERR choice) are negative. So here's the correction:
>
>Index: modules/aaa_radius/rad.c
>diff -Nau modules/aaa_radius/rad.c.orig modules/aaa_radius/rad.c
>--- modules/aaa_radius/rad.c.orig      2009-12-10 19:57:33.000000000 +0100
>+++ modules/aaa_radius/rad.c   2009-12-22 13:28:05.852461686 +0100
>@@ -273,9 +273,14 @@
>                               return -1;
>                       }
>               }
>-
>-              LM_ERR("rc_auth function failed\n");
>-              return -1;
>+              else if (result == TIMEOUT_RC || result == REJECT_RC) {
>+                      LM_DBG("rc_auth function succeeded with result %d\n", 
>result);
>+                      return result;
>+              }
>+              else /* if (result == ERROR_RC || result == BADRESP_RC) */ {
>+                      LM_ERR("rc_auth function failed with result %d\n", 
>result);
>+                      return -1;
>+              }
>       }
> 
>       if (request->type == AAA_ACCT) {
>
>What it does is correct the false negative condition in which a
>properly functioning OpenSIPS 1.6.1 reports radius errors in the
>log. Without the correction, every call to aaa_is_user_in() for users
>which do not belong to the group in question produces an error in
>the OpenSIPS log. Try it:
>
>    route {                                  # produces an error
>        aaa_is_user_in("From", "suspened");  # for all users not
>    }                                        # in group 'suspended'
>
>I'm assuming that the 'REJECT' returned from a radius server for
>such calls is correct, although I'm not a radius expert.
>
Was this patch rejected? I see that no correction has been made
to the flawed logic in rad.c.

Regards,
Michael

-- 
Michael Schloh von Bennewitz
http://michael.schloh.com/

_______________________________________________
Devel mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/devel

Reply via email to