Re: Accounting copying to specific systems
Joe Maimon wrote: > And that is what I have done. > > git://github.com/jmaimon/freeradius-server.git OK. After a quick look, there are a number of patches which can be pulled in. I'll try to do that this week. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: Here is what I am doing with rlm_policy You had "control" above. Why "request" here? These are all the patches I am currently carrying. OK... my $0.02 is put them in github. Fork the "stable" branch, apply your patches, and send me a link to the github repository. That makes it easier for me to see && apply the patches. Alan DeKok. And that is what I have done. git://github.com/jmaimon/freeradius-server.git - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: Here is what I am doing with rlm_policy if (request:Class =* "" ) { And what does that mean? I haven't looked at the policy code in years... And it still works nicely. If Class exists in the request. See "man unlang" the "CONDITIONS" section for how conditions work. If you're just looking to see if Class exists, do: if (Class) { It's that easy. And it works. Thanks. if (request:Client-Short-Name == "noc03rt07") { update request { You had "control" above. Why "request" here? Troubleshooting permutations. These are all the patches I am currently carrying. OK... my $0.02 is put them in github. Fork the "stable" branch, apply your patches, and send me a link to the github repository. That makes it easier for me to see && apply the patches. Alan DeKok. Soon as I figure it out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Joe Maimon wrote: > Here is what I am doing with rlm_policy > > > if (request:Class =* "" ) { And what does that mean? I haven't looked at the policy code in years... > if (request:Client-Short-Name == "noc03rt07") { > control .= { > Home-Server-Pool := "pool-noc03-8e6" > } > } > } > > > Here is how I tried doing it with unlang > >if (request:Class =* "" ) { See "man unlang" the "CONDITIONS" section for how conditions work. If you're just looking to see if Class exists, do: if (Class) { It's that easy. >if (request:Client-Short-Name == "noc03rt07") { >update request { You had "control" above. Why "request" here? > These are all the patches I am currently carrying. OK... my $0.02 is put them in github. Fork the "stable" branch, apply your patches, and send me a link to the github repository. That makes it easier for me to see && apply the patches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: The if matches just fine and updates with rlm_policy, but I couldnt get something reasonable in unlang to parse successfully. I would appreciate some tips. Here is what I am doing with rlm_policy if (request:Class =* "" ) { if (request:Client-Short-Name == "noc03rt07") { control .= { Home-Server-Pool := "pool-noc03-8e6" } } } Here is how I tried doing it with unlang if (request:Class =* "" ) { if (request:Client-Short-Name == "noc03rt07") { update request { Home-Server-Pool := "pool-noc03-8e6" } } } I also tried this if (request:Class =~ ".*" ) { if (request:Client-Short-Name == "noc03rt07") { update request { Home-Server-Pool := "pool-noc03-8e6" } } } As I am currently carrying patches for rlm_policy, the question is whether it is worthwhile to switch focus to unlang. IIRC, most of the patches you had for the policy module went into source control. What's left? You got the "big" one. These are all the patches I am currently carrying. 020-client-short-name.dpatch 030-substar_regex.patch 080-keep-local-av-proxy.dpatch 130-rlm-policy-fix.dpatch 140-rlm-policy-subops.dpatch 200-cmp-operators-fix.dpatch 230-fix-policy-null-myvp.dpatch 245-policy-xlat.dpatch 310-rlm_exec-nullchecks.dpatch 380-rlm_policy-evaluate-seg 400-rlm_policy-parse-assert 430-rlm_policy-missing-policy-ok 440-proxy-home-server-pool Some are hacks, most are old and you have probably seen them before. About the only thing I can say with confidence, is worksforme. I suppose I should use bugzilla to post them even if the attached tarball comes through. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html jm-freeradius-2.1.8-git-20090923.tar.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: It doesnt work with Home-Server-Pool, but it does work with Proxy-To-Realm. Hmm... what does that mean? If you put the "update" section inside of an "if" statement that never matches... it won't work. The Home-Server-Pool code *should* work in 2.1.7. I can double-check it tomorrow. src/main/acct.c needed a patch to handle PW_HOME_SERVER_POOL similar to PW_PROXY_TO_REALM Seems like it is working, but I am still testing. My patch duplicates the LOCAL functionality, but is that purposeless? #! /bin/sh /usr/share/dpatch/dpatch-run ## 440-proxy-home-server-pool.dpatch by ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: No description. @DPATCH@ diff -urNad freeradius-server~/src/main/acct.c freeradius-server/src/main/acct.c --- freeradius-server~/src/main/acct.c 2009-09-24 16:38:44.0 -0400 +++ freeradius-server/src/main/acct.c 2009-09-24 16:38:47.0 -0400 @@ -122,6 +122,29 @@ * Maybe one of the preacct modules has decided * that a proxy should be used. */ + + if ((vp = pairfind(request->config_items, PW_HOME_SERVER_POOL))) { + home_pool_t *home_pool; + + /* +* Check whether Home-Server-Pool is +* a LOCAL pool. +*/ + home_pool = home_pool_byname(vp->vp_strvalue, HOME_TYPE_ACCT); + if (home_pool && !home_pool->servers) { + DEBUG("rad_accounting: Cancelling proxy to home_pool %s, as it is a LOCAL home pool.", + home_pool->name); + pairdelete(&request->config_items, PW_HOME_SERVER_POOL); + } else { + /* +* Don't reply to the NAS now because +* we have to send the proxied packet +* before that. +*/ + return result; + } + } + if ((vp = pairfind(request->config_items, PW_PROXY_TO_REALM))) { REALM *realm; diff -urNad freeradius-server~/src/main/realms.c freeradius-server/src/main/realms.c --- freeradius-server~/src/main/realms.c2009-09-24 16:38:44.0 -0400 +++ freeradius-server/src/main/realms.c 2009-09-24 16:39:31.0 -0400 @@ -932,7 +932,8 @@ } } - if (num_home_servers == 0) { + /* LOCAL pools have no servers */ + if (num_home_servers == 0 && strcmp(name2, "LOCAL")) { cf_log_err(cf_sectiontoitem(cs), "No home servers defined in pool %s", name2); @@ -1468,6 +1469,11 @@ mypool.name = name; mypool.server_type = server_type; + if (strcmp(name, "LOCAL") == 0) { + cf_log_err(cf_sectiontoitem(cs), "\"%s\" pool cannot be used with realms", name); + return 0; + } + pool = rbtree_finddata(home_pools_byname, &mypool); if (!pool) { CONF_SECTION *pool_cs; @@ -1728,10 +1734,15 @@ static int pool_peek_type(CONF_SECTION *config, CONF_SECTION *cs) { int home; - const char *name, *type; + const char *name, *name2, *type; CONF_PAIR *cp; CONF_SECTION *server_cs; + name2 = cf_section_name2(cs); + if (name2 && strcmp(name2, "LOCAL") == 0) { + /* LOCAL Home server pool has no home_server */ + return HOME_TYPE_AUTH; + } cp = cf_pair_find(cs, "home_server"); if (!cp) { cf_log_err(cf_sectiontoitem(cs), "Pool does not contain a \"home_server\" entry"); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Joe Maimon wrote: > The if matches just fine and updates with rlm_policy, but I couldnt get > something reasonable in unlang to parse successfully. I would appreciate > some tips. To do...? > So I should try regex =~ ".*" ? To do... ? > That didnt work either. And... what does the debug output say? > They are, they work. My point was that I was hoping to find a way to use > unlang. > > However, to use it like I use policy, seems like it might need some > patches. To do... ? > As I am currently carrying patches for rlm_policy, the question is > whether it is worthwhile to switch focus to unlang. IIRC, most of the patches you had for the policy module went into source control. What's left? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: It doesnt work with Home-Server-Pool, but it does work with Proxy-To-Realm. Hmm... what does that mean? If you put the "update" section inside of an "if" statement that never matches... it won't work. The if matches just fine and updates with rlm_policy, but I couldnt get something reasonable in unlang to parse successfully. I would appreciate some tips. The Home-Server-Pool code *should* work in 2.1.7. I can double-check it tomorrow. Thanks. Also, I havent been able to figure out how to get unlang to do the job here. Server wont even start with my attempt. Expected comparison at: =* /etc/freeradius/sites-enabled/copy-acct-to-noc03-8e6[9]: Errors parsing preacct section See "man unlang". The '=*" operator isn't supported. So I should try regex =~ ".*" ? That didnt work either. Currently I am using the rlm_policy language. Which isn't "unlang". Those policies need to (a) be in separate files, and (b) follow the format outlined in raddb/policy.txt They are, they work. My point was that I was hoping to find a way to use unlang. However, to use it like I use policy, seems like it might need some patches. As I am currently carrying patches for rlm_policy, the question is whether it is worthwhile to switch focus to unlang. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Joe Maimon wrote: > It doesnt work with Home-Server-Pool, but it does work with Proxy-To-Realm. Hmm... what does that mean? If you put the "update" section inside of an "if" statement that never matches... it won't work. The Home-Server-Pool code *should* work in 2.1.7. I can double-check it tomorrow. > Also, I havent been able to figure out how to get unlang to do the job > here. Server wont even start with my attempt. > > Expected comparison at: =* > /etc/freeradius/sites-enabled/copy-acct-to-noc03-8e6[9]: Errors parsing > preacct section See "man unlang". The '=*" operator isn't supported. > Currently I am using the rlm_policy language. Which isn't "unlang". Those policies need to (a) be in separate files, and (b) follow the format outlined in raddb/policy.txt Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: Would that be this freeradius internal attribute? Home-Server-Pool It's used to proxy requests to a home server pool, without involving realms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html It doesnt work with Home-Server-Pool, but it does work with Proxy-To-Realm. Server is built from git-stable-20090923 Also, I havent been able to figure out how to get unlang to do the job here. Server wont even start with my attempt. Expected comparison at: =* /etc/freeradius/sites-enabled/copy-acct-to-noc03-8e6[9]: Errors parsing preacct section Currently I am using the rlm_policy language. I would appreciate any suggestions, tips and advice. Thank you for all your help. Joe Here is my semi-finished product: radiusd.conf: = detail detail-copy-noc03-8e6 { detailfile = ${radacctdir}/detail-reader/noc03-8e6.log detailperm = 0600 header = "%t" } policy policy-copy-acct-to-noc03-8e6 { filename = ${confdir}/policy-copy-acct-to-noc03-8e6.txt } proxy.conf: === home_server noc03-8e6 { type = acct ipaddr = xx.yy.53.10 secret = test src_ipaddr = ${local_address} port = 1646 } home_server_pool pool-noc03-8e6 { home_server = noc03-8e6 } realm noc03-8e6.realms { acct_pool = pool-noc03-8e6 } sites-available/default: #Add this line to the accounting section detail-copy-noc03-8e6 sites-available/copy-acct-to-noc03-8e6: === server copy-acct-to-no03-8e6 { listen { type = detail filename = ${radacctdir}/detail-reader/noc03-8e6.log load_factory = 10 } preacct { # doesnt work, server wont start. # if (request:Class =* "" ) { # if (request:Client-Short-Name == "noc03rt07") { # update control { # Home-Server-Pool := "pool-noc03-8e6" # } # } # } policy-copy-acct-to-noc03-8e6 preprocess } accounting { ok } pre-proxy { } post-proxy { } } policy-copy-acct-to-noc03-8e6.txt: == policy set-acct-home-server { if (request:Class =* "" ) { if (request:Client-Short-Name == "noc03rt07") { control .= { #Home-Server-Pool doesnt seem to do anything even post 2.1.7 Home-Server-Pool := "pool-noc03-8e6" Proxy-To-Realm := "noc03-8e6.realms" } } } } policy preacct { set-acct-home-server() } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Joe Maimon wrote: > Would that be this freeradius internal attribute? > > Home-Server-Pool It's used to proxy requests to a home server pool, without involving realms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Right now, yes. In 2.1.7, you probably won't have to. You can give the realms any name you want. Alan DeKok. Would that be this freeradius internal attribute? Home-Server-Pool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Joe Maimon wrote: > So I write all accounting coming into the server duplicated into > multiple detail files, one per potential destination. Yes. > Then I have a reader which while reading filters only what I want to > send to the destination. Yes. > I have multiple readers. > > I think I get it, I would use acct_users and Reject what I dont want? "unlang". It's far easier. > Wouldnt I need a customized "files" to use a different acct_users per > destination? Yes. > Is there any way to do this without buffering all accounting to disk and > then filtering all accounting multiple times? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Joe Maimon wrote: > So I define multiple home servers as the potential destinations for the > copied accounting in proxy.conf Yes. AND you write to multiple detail files. > How do I specify where to send the accounting in the detail-reader? > > Either of these? > > ATTRIBUTE Proxy-To-Realm 1048string Proxy-To-Realm. > ATTRIBUTE Replicate-To-Realm 1049string This doesn't do anything. > I wasnt planning to create a realm, do I need to? Right now, yes. In 2.1.7, you probably won't have to. You can give the realms any name you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: Certain systems need copies of accounting data, but I only want to send a subset of accounting to the appropriate system. I dont want to change the way the server updates the sql accounting and local detail files. If you need *multiple* copies, then the "detail" write/reader is the way to go. I would suggest writing one detail log per destination. Then, when the detail file is read, do the filtering *there*. That ensures that the filtering for one destination doesn't affect the filtering for another destination. Alan DeKok. Apparently I dont get it yet. Forgive me for being slow. So I define multiple home servers as the potential destinations for the copied accounting in proxy.conf How do I specify where to send the accounting in the detail-reader? Either of these? ATTRIBUTE Proxy-To-Realm 1048string ATTRIBUTE Replicate-To-Realm 1049string I wasnt planning to create a realm, do I need to? Thank you very much. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: Certain systems need copies of accounting data, but I only want to send a subset of accounting to the appropriate system. I dont want to change the way the server updates the sql accounting and local detail files. If you need *multiple* copies, then the "detail" write/reader is the way to go. I would suggest writing one detail log per destination. Then, when the detail file is read, do the filtering *there*. That ensures that the filtering for one destination doesn't affect the filtering for another destination. So I write all accounting coming into the server duplicated into multiple detail files, one per potential destination. Then I have a reader which while reading filters only what I want to send to the destination. I have multiple readers. I think I get it, I would use acct_users and Reject what I dont want? Wouldnt I need a customized "files" to use a different acct_users per destination? Is there any way to do this without buffering all accounting to disk and then filtering all accounting multiple times? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Joe Maimon wrote: > Certain systems need copies of accounting data, but I only want to send > a subset of accounting to the appropriate system. I dont want to change > the way the server updates the sql accounting and local detail files. If you need *multiple* copies, then the "detail" write/reader is the way to go. I would suggest writing one detail log per destination. Then, when the detail file is read, do the filtering *there*. That ensures that the filtering for one destination doesn't affect the filtering for another destination. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting copying to specific systems
Certain systems need copies of accounting data, but I only want to send a subset of accounting to the appropriate system. I dont want to change the way the server updates the sql accounting and local detail files. I want something like this acct.hints DEFAULT Client-IP-Address == "1.2.3.4", Hint := "FILTER-1" DEFAULT Client-IP-Address == "1.2.3.5", Hint := "FILTER-1" DEFAULT Client-IP-Address == "5.6.7.8", Hint := "FILTER-2" DEFAULT Client-IP-Address == "5.6.7.9", Hint := "FILTER-2" acct.users DEFAULT Hint == "FILTER-1", Copy-To := "filter-1-system" DEFAULT Hint == "FILTER-2", Copy-To := "filter-2-system" Where both filter-1-system and filter-2-system are defined in proxy.conf and obviously Copy-To is wishful thinking. Am I headed in the right direction or is there a better way to do this? Thanks, Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html