On Fri, Jun 20, 2003 at 09:30:51AM -0700, Tom Emerson wrote:
Content-Description: signed data
> On Friday 20 June 2003 3:53 am, Kostas Kalevras wrote:
> > On Wed, 18 Jun 2003, Roberto Pioli wrote:
> > > when he module counter return:
> > >
> > > rlm_counter: Entering module authorize code
> > > rlm_counter: Could not find Check item value pair
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > modcall[authorize]: module "counter" returns noop
> > > modcall: group authorize returns ok
> > >
> > > What's the matter?
> >
> > Isn't it obvious?
>
> Actually, it isn't. I ran into this problem when I first started to use this,
> and it was rather annoying because as far as I could tell, I **had** defined
> a check item, so I was totally bewildered by the comment "could not find it".
>
> My line of thinking was that the "counter" module CREATED a variable (i.e.,
> the "counter-name") that later modules could compare against for a pass/fail
> condition test.
Yes, it does this, but only "on demand". It registers a function which
performs comparison on counter attribute (say, Daily-Session-Time), and
this function is called on every occurance of this attribute in *check*
items. In this case you even need not to list counter in authorize {}
section (only in instantiate {}) - it will be called automatically.
> It took several passes through the documentation to
> understand this is backward: other modules set the "check-name" variable to a
> particular cutoff value, and THEN the counter module performs the comparison.
This is the second way to use it. You supply *configuration* item (say,
Max-Daily-Session) for this counter somewhere, and list the instance in
authorize {} section. And being called from where, counter will search
config items for the attribute and do its magic if one was found.
Unfortunately, *config* and *check* items are synonims in freeradius...
> In re-reading the documentation right now, I think I see why I thought that
> AND a possible "impossible situation". The comments read:
>
> # The counter-name can also be used like below:
> #
> # DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
> # Reply-Message = "You've used up more than one hour today"
>
> which would appear in the "users" file and/or in an SQL table. The
> implication with this comment is that the counter module has to occur FIRST
> in order to define a value of "daily-session-time" so the comparison can take
> place...
As I said, counter module defines its value in the very moment of
comparison, moreover, it does the comparison itself.
I hope I'm clear enough :)
To be quite honest about it, I had to dig the source in my time ;)
--
Fduch M. Pravking
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
