On Mon, Jul 28, 2003 at 02:02:22PM -0400, Alan DeKok wrote:
> > Dear developers, how about customizable messages? Something like
> > this in radiusd.conf:
> >
> > messages {
> > multiple_login = "You are already logged in %{Simultaneous-Use} times\r\n"
> > timespan_violation = "You are calling outside allowed timespan\r\n"
> > ...
> >}
>
> Sure.
Almost done.
I could get rid of radius_xlat calls, if the "user_msg == NULL" check is
removed around the following block (auth.c, lines 850-865):
/*
* Filter (possibly multiple) Reply-Message attributes
* through radius_xlat, modifying them in place.
*/
if (user_msg == NULL) {
reply_item = pairfind(request->reply->vps, PW_REPLY_MESSAGE);
while (reply_item) {
radius_xlat(buf, sizeof(reply_item->strvalue),
(char *)reply_item->strvalue, request, NULL);
strNcpy((char *)reply_item->strvalue, buf,
sizeof(reply_item->strvalue));
reply_item->length = strlen((char *)reply_item->strvalue);
user_msg = NULL;
reply_item = pairfind(reply_item->next, PW_REPLY_MESSAGE);
}
}
There's no more need for it, I think.
Also, the mentioned xlat.c patch should be applied too to allow
expansion of %{check:...} attributes.
Local tests are OK.
--
Fduch M. Pravking
Index: src/include/radiusd.h
===================================================================
RCS file: /source/radiusd/src/include/radiusd.h,v
retrieving revision 1.140
diff -u -p -r1.140 radiusd.h
--- src/include/radiusd.h 23 Jul 2003 19:50:38 -0000 1.140
+++ src/include/radiusd.h 29 Jul 2003 21:28:42 -0000
@@ -172,6 +172,15 @@ typedef struct main_config_t {
REALM *realms;
} MAIN_CONFIG_T;
+typedef struct messages_config_t {
+ const char *expiration;
+ const char *double_login;
+ const char *multiple_login;
+ const char *timespan_violation;
+ const char *exec_failure;
+ const char *auth_failure;
+} MESSAGE_CONFIG_T;
+
#define DEBUG if(debug_flag)log_debug
#define DEBUG2 if (debug_flag > 1)log_debug
@@ -364,6 +373,7 @@ extern int total_active_threads
/* mainconfig.h */
/* Define a global config structure */
extern struct main_config_t mainconfig;
+extern struct messages_config_t server_messages;
int read_mainconfig(int reload);
int free_mainconfig(void);
Index: src/main/mainconfig.c
===================================================================
RCS file: /source/radiusd/src/main/mainconfig.c,v
retrieving revision 1.21
diff -u -p -r1.21 mainconfig.c
--- src/main/mainconfig.c 22 Jul 2003 18:16:23 -0000 1.21
+++ src/main/mainconfig.c 29 Jul 2003 21:30:39 -0000
@@ -45,6 +45,7 @@
struct main_config_t mainconfig;
+struct messages_config_t server_messages;
/*
* Local variables for stuff.
@@ -83,6 +84,25 @@ static CONF_PARSER security_config[] = {
};
/*
+ * A list of global messages sent back in certain cases
+ */
+static CONF_PARSER messages_config[] = {
+ { "expiration", PW_TYPE_STRING_PTR, 0, &server_messages.expiration,
+ "Password Has Expired\r\n" },
+ { "double_login", PW_TYPE_STRING_PTR, 0, &server_messages.double_login,
+ "\r\nYou are already logged in - access denied\r\n" },
+ { "multiple_login", PW_TYPE_STRING_PTR, 0, &server_messages.multiple_login,
+ "\r\nYou are already logged in %{check:Simultaneous-Use} times - access
denied\r\n" },
+ { "timespan_violation", PW_TYPE_STRING_PTR, 0,
&server_messages.timespan_violation,
+ "You are calling outside your allowed timespan\r\n" },
+ { "exec_failure", PW_TYPE_STRING_PTR, 0, &server_messages.exec_failure,
+ "\r\nAccess denied (external check failed).\r\n" },
+ { "auth_failure", PW_TYPE_STRING_PTR, 0, &server_messages.auth_failure,
+ "" },
+ { NULL, -1, 0, NULL, NULL }
+};
+
+/*
* A mapping of configuration file names to internal variables
*/
static CONF_PARSER server_config[] = {
@@ -126,6 +146,7 @@ static CONF_PARSER server_config[] = {
{ "proxy_requests", PW_TYPE_BOOLEAN, 0, &mainconfig.proxy_requests, "yes" },
{ "proxy", PW_TYPE_SUBSECTION, 0, proxy_config, NULL },
{ "security", PW_TYPE_SUBSECTION, 0, security_config, NULL },
+ { "messages", PW_TYPE_SUBSECTION, 0, messages_config, NULL },
{ "debug_level", PW_TYPE_INTEGER, 0, &mainconfig.debug_level, "0"},
{ NULL, -1, 0, NULL, NULL }
};
Index: src/main/auth.c
===================================================================
RCS file: /source/radiusd/src/main/auth.c,v
retrieving revision 1.127
diff -u -p -r1.127 auth.c
--- src/main/auth.c 24 Jun 2003 14:22:19 -0000 1.127
+++ src/main/auth.c 29 Jul 2003 21:31:08 -0000
@@ -66,6 +66,7 @@ char *auth_name(char *buf, size_t buflen
static int check_expiration(REQUEST *request)
{
int result;
+ char umsg[MAX_STRING_LEN + 1];
VALUE_PAIR *check_item = request->config_items;
result = 0;
@@ -86,9 +87,9 @@ static int check_expiration(REQUEST *req
VALUE_PAIR *vp;
result = -1;
- vp = pairmake("Reply-Message",
- "Password Has Expired\r\n",
- T_OP_ADD);
+ radius_xlat(umsg, sizeof(umsg),
server_messages.expiration,
+ request, NULL);
+ vp = pairmake("Reply-Message", umsg, T_OP_ADD);
pairfree(&request->reply->vps);
request->reply->vps = vp;
break;
@@ -568,9 +569,14 @@ autz_redo:
* wants to send back.
*/
if (result < 0) {
+ VALUE_PAIR *vp;
DEBUG2("auth: Failed to validate the user.");
request->reply->code = PW_AUTHENTICATION_REJECT;
+ radius_xlat(umsg, sizeof(umsg), server_messages.auth_failure, request,
NULL);
+ vp = pairmake("Reply-Message", umsg, T_OP_ADD);
+ pairadd(&request->reply->vps, vp);
+
if ((module_msg =
pairfind(request->packet->vps,PW_MODULE_FAILURE_MESSAGE)) != NULL){
char msg[MAX_STRING_LEN+19];
@@ -626,13 +632,11 @@ autz_redo:
}
if (!mpp_ok){
if (check_item->lvalue > 1) {
- snprintf(umsg, sizeof(umsg),
- "\r\nYou are already logged in
%d times - access denied\r\n\n",
- (int)check_item->lvalue);
- user_msg = umsg;
+ user_msg = server_messages.multiple_login;
} else {
- user_msg = "\r\nYou are already logged in -
access denied\r\n\n";
+ user_msg = server_messages.double_login;
}
+ radius_xlat(umsg, sizeof(umsg), user_msg, request,
NULL);
request->reply->code = PW_AUTHENTICATION_REJECT;
@@ -641,7 +645,7 @@ autz_redo:
* Remove ALL reply attributes.
*/
pairfree(&request->reply->vps);
- tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
+ tmp = pairmake("Reply-Message", umsg, T_OP_SET);
request->reply->vps = tmp;
snprintf(logstr, sizeof(logstr), "Multiple logins (max
%d) %s",
@@ -673,12 +677,13 @@ autz_redo:
* User called outside allowed time interval.
*/
result = -1;
- user_msg = "You are calling outside your allowed timespan\r\n";
+ radius_xlat(umsg, sizeof(umsg),
+ server_messages.timespan_violation, request, NULL);
request->reply->code = PW_AUTHENTICATION_REJECT;
pairfree(&request->reply->vps);
- tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
+ tmp = pairmake("Reply-Message", umsg, T_OP_SET);
request->reply->vps = tmp;
snprintf(logstr, sizeof(logstr), "Outside allowed timespan
(time allowed %s)",
@@ -805,13 +810,12 @@ autz_redo:
* had a non-zero exit status.
*/
if (umsg[0] == '\0') {
- user_msg = "\r\nAccess denied (external check
failed).";
- } else {
- user_msg = &umsg[0];
+ radius_xlat(umsg, sizeof(umsg),
+ server_messages.exec_failure, request, NULL);
}
request->reply->code = PW_AUTHENTICATION_REJECT;
- tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
+ tmp = pairmake("Reply-Message", umsg, T_OP_SET);
pairadd(&request->reply->vps, tmp);
rad_authlog("Login incorrect (external check failed)",
Index: raddb/radiusd.conf.in
===================================================================
RCS file: /source/radiusd/raddb/radiusd.conf.in,v
retrieving revision 1.148
diff -u -p -r1.148 radiusd.conf.in
--- raddb/radiusd.conf.in 24 Jun 2003 12:54:05 -0000 1.148
+++ raddb/radiusd.conf.in 29 Jul 2003 21:28:11 -0000
@@ -1562,3 +1562,24 @@ post-proxy {
#
eap
}
+
+
+#
+# Reply-Message's which are sent back to the NAS in Access-Reject pachet
+# in certain cases
+#
+messages {
+ expiration = "Password Has Expired\r\n"
+ #expiration = "Your password expired since %{check:Expiration}\r\n"
+
+ double_login = "\r\nYou are already logged in - access denied\r\n"
+ multiple_login = "\r\nYou are already logged in %{check:Simultaneous-Use}
times - access denied\r\n"
+ timespan_violation = "You are calling outside your allowed timespan\r\n"
+ #timespan_violation = "Your allowed timespan is %{check:Login-Time}"
+
+ exec_failure = "\r\nAccess denied (external check failed).\r\n"
+
+ # by default, authentication failure is silent
+ auth_failure = ""
+ #auth_failure = "Authentication failure. Check your password\r\n"
+}
