----- Original Message -----
From: "Paul Hampson" <[EMAIL PROTECTED]>
> > From: Thor Spruyt
> > Sent: Monday, 1 September 2003 11:29 PM
>
> > ----- Original Message -----
> > From: <[EMAIL PROTECTED]>
> > > Hi.
> > > I'm using FreeRadius 0.9.0 on RedHat Linux 9.
> > > I'm using external program for authorizing users. When authorization
is
> > not
> > > allowed, I'd like to inform my user about reason of failure so I'm
> > > returning Reply-Message:="Some reason" in output from my program.
> > > But, Free Radius always returns "external check failed".
> >
> > The auth.c code always adds a reply-message attribute to the Auth-Reject
> > when the external program returns something else than 0.
> > I have patched the source code so it doesn't do this anymore.
>
> Why? I preferred the solution where it added the message, unless
> another Reply-Message had already been set. Is there some reason
> you don't want the Reply-Message set at all in this curcumstance?
I noticed that even though my program was giving a Reply-Message, auth.c was
still adding its own Reply-Message. In the Auth-Reject packet, there were
two Reply-Message attributes, 1 from the External script and 1 added by from
auth.c and my NAS was only interpreting the latter.
So, since my program always returns a Reply-Message and I'm not that good in
C programming, the best solution for me was to comment out the code that
added the unneeded Reply-Message.
> I guess I can see that you may not want people to know your
> RADIUS server's on the blink...
Indeed. Or even knowing that there's an external program executed.
> Given the discussion about external programs returning 0 for
> ACCEPT, and anything else being reject (with error message)...
I don't think returning non-zero is always an error, since the script might
decide to deny access.
> Would it be better to only add the message if we get a -1
> back from the exec call, and let the script take care of it
> if we get a >0 and hence reject the call?
>
> If the script fails (as opposed to rejects the request), will
> it return anything other than -1?
Maybe the best thing to do is make it configurable in radiusd.conf, sort of
a default Reply-Message when the external program didn't supply one.
Also, I would make auth.c aware of the difference between an error and a
Reject by the external program. I don't know enough about exit codes to
decide which exit code should mean a Reject and which should indicate an
error.
> Alternatively, convert to rlm_exec. Cases where it can't
> match Exec-Program{,-Wait} are probably interesting to the
> developers, since rlm_exec is (apparently) intended to replace
> Exec-Program{,-Wait}.
I wouldn't replace Exec-Program{,-Wait} with rlm_exec, since
Exec-Program{,-Wait} has certain advantages over rlm_exec, but I'm certainly
looking at the option.
This whole thing is just a minor issue for me, but I think that *not* having
to patch the source code is better :)
Regards,
Thor.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
