Hi Everybody,
I found the solution to the task I described, it is quite simple. I
would like to share the solution with you just in case you want the same
feature in the future.
I've added post-auth callback for "files" module, which actually just
calls callback used for authentication.
post-auth callback is called only in case we successfully authenticated
and so we can use it only when Access-Accept is going to be sent.
In case of Access-Challenge we did not go to this section, so that we
can write configuration file like the following:
"users" file:
# This rule will be applied only in case RADIUS Server sends
Access-Accept message,
# You can add any attributes you want to be sent in Accept message, and
olse
# overwrite (or remove) attributes added in common rule (specified below).
"oleg" Response-Packet-Type == Access-Accept, User-Password == "oleg
pass"
Acct-Interim-Interval := 60,
Idle-Timeout := 20,
Class := "Accept Class",
Session-Timeout := 50, # We want Session-Timeout attribute
with 50 in Access-Accept (without this line we will get 100 value, which
is set in "common rule")
Termination-Action := 0,
Session-Timeout -= 100 # this is an example of removing
attribute from Access-Accept message, which was added in common rule.
# Common rule
# We enter this rule any time we get Access-Request message before
authentication takes place.
# Here we should add a set of attributes we want to be included in
Access-Challenge messages.
# If you should take care about not including some of these attributes
in Access-Accept messages,
# you need to remove them explicitly in the previous rule.
"oleg" User-Password == "oleg pass"
Session-Timeout := 100 # We want Session-Timeout attribute
with 100 in Access-Accept
Also we should add "files" module into post-auth section - add in
"radiusd.conf" file a single line:
post-auth {
...
# The following line is a new one.
files
...
}
What should be added in sources:
------------------------------------------
src/modules/rlm_files/rlm_files.c
Add this function:
/*
* Execute postauth_query after authentication
*/
static int file_postauth(void *instance, REQUEST *request) {
return file_authorize(instance, request);
}
Modify the following variable:
module_t rlm_files = {
...
}
instead of line:
NULL /* post-auth */
put:
file_postauth /* post-auth */
Yes, it is pretty simple.
How it works:
------------------
First on "auth" action server skips the first "oleg" user entry as
Response-Packet-Type is still "0", and we match the second entry. This
entry should keep a set of attributes we need to include in
Access-Challenge packet (in our case Session-Timeout equals to 100).
When server decides that it is time to send Access-Accept message it
does "post-auth" action, and in our case users file is processed again.
This time Response-Packet-Type attribute is Access-Accep, so that we
overwrite all the attributes set on "auth" action with new ones (using
+= operators).
Hope that will help someone.
Best Regards,
Oleg.
PS: I've been really delighted reading your sources - well-done work!
Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
