Hey there,Thanks for that, this explains why the passwordlog directive wasn't working, however, I sort of solved this in a similar manner with my PreAuthHook wanting to log to a completely separate file that I had defined with a <Log> entry and 'Filename' which was identified by an identifier statement
<Log FILE> Identifier PASSWORDLOG Filename %L/%Y%m%d_password.log </Log>What I was wondering was how to say 'please write the messages to that file rather than the main radiator.log'
as..
# Use the password log
my $logger = &Radius::Configurable::find('Log', 'PASSWORDLOG');
Whit I would have assume would tie $logger to the FileName
%L/%Y%m%d_password.log, but results in nothing being written when trying
to capture an authentication request with
$logger->log($main::LOG_INFO, "user:$user, pass:$pass"); But if I use the 'main' logfile &main::log($main::LOG_DEBUG, "PasswordDebug: user=>'$user', pass=>'$pass'");It seems to write out data, which is undesirable as this then ends up in our centralised logging system causing a cleanup mess removing peoples passwords.
What am I doing wrong here? (heh, I mean besides trying to log peoples passwords..)
-- Steve. On 2/3/2023 8:48 pm, Heikki Vatiainen via radiator wrote:
On 1.3.2023 8.40, Steve Phillips via radiator wrote:So I guess my questions are twofold; a) Why is the PasswordLogFile line not working?Likely because of this:https://files.radiatorsoftware.com/radiator/ref/Handler.html#PasswordLogFileName"... Attempts where the user is not found, are not logged. ..."When there's a problem with fetching user information from LDAP, Radiator won't log password information.b) How can I get the PreAuthHook to write the passwords to the PASSWORDLOG identifier/log entry?You could do this to always log information from PreAuthHook:1) Add an Identifier, for example 'Identifier abc-handler' within the Handler 2) Within the hook, similar to $logger, 'my $handler = Radius::Configurable::find('Handler', 'abc-handler'); 3) For the selected usernames, call the password logger directly. For example '$handler->logPassword($user, $pass, 'correct-pw-is-unknown', 0, $p);"Parameter '0' (or any boolean false value) causes the password logger to log 'FAIL'. Parameter 'correct-pw-is-unknown' is simply a placeholder value because at this point there's no information what the user's expected password might be. Note that when the user is found, you should get two entries for the user; one from the hook and the other from the configured password logging.It's possible also to arrange and use <Log ...> clauses for this, but logging via PasswordLogFileName method also automatically turns itself off when the configuration parameter is removed or commented out from the configuration. This gives an additional visible hint that password logging is currently enabled.Thanks, Heikki
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
