subject:"rlm_perl issue"

rlm_perl issue

2013-08-22 Thread Dean, Barry

An interesting one for the list ...

We are installing a Palo Alto firewall and it has a way to pass Username/IP 
mappings from FreeRADIUS to a Windows User ID Agent, which is then queried by 
the firewall.

The method employed is to use a Perl module (PAN::API), which has a simple API, 
basically:

$var = PAN::API::UID-new( ip of server );
$var-add( type login/logout, username, Framed-IP-Address );
$var-submit();

which is added in the sub preacct () of the perl module...

then call this in preacct {}

There are a couple of issues with this module that I am going to try and 
address:

1) Connections
new only instantiates an empty object
add adds the values to a hash
submit opens an TCP SSL connection, sends the hash as XML, then 
closes the connection.
With all the work being done in submit you have to create and tear down an 
SSL TCP connection for EVERY accounting record! Which is a lot at my site!

2) Errors
If the socket set-up fails, the PAN::API module calls croak(), which on 
my system terminated FreeRADIUS, which seems like what would happen?

Thu Aug 22 13:53:03 2013 : Error: rlm_perl: perl_embed:: module = 
/etc/raddb/perl.pl , func = preacct exit status= Unable to connect socket.  at 
/etc/raddb/perl.pl line 474

Socket setup failed I am guessing because of all the open/close socket 
activity? Looks like the Windows 2008R2 server either blocked this as a 
suspected DOS or the agent failed to cope with this kind of TCP activity?

Obviously for problem 1, a better model would be to implement new methods on 
the object to open and close the SSL connection, then use a pattern like:

{ # Static block start
my $object = PAN::API::UID-new( IP );
$object-connectssl();

sub preacct {
$object-add( params );
$object-submit();
}
}

closing the SSL would not be needed in effect as we run forever, and I 
wouldn't know where to place it as there is no function called on an rlm_perl 
module when FreeRADIUS is about to terminate, unless I am missing something.

For problem 2, are there rules about what you should not do in an rlm_perl 
module? I would have thought exit(), die(), croak() etc are all bad and that 
returning quietly, optionally setting an error code, would be better? Then back 
in sub preacct () you could check the error and log with radiusd::radlog() 
and do a return RLM_MODULE_NOOP?

Would you expect FreeRADIUS to terminate if an rlm_perl module called croak()?

Anyone want to throw in 2 cents/pennies worth to this?

Thanks in advance, as always, for your time ...


Barry Dean
Principal Programmer/Analyst
Networks Team
Computing Service Department

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl issue

2013-08-22 Thread Phil Mayers


On 22/08/13 16:46, Dean, Barry wrote:


Anyone want to throw in 2 cents/pennies worth to this?


Yep, don't do it like this.

Instead, write the user/ip entries to a file using the linelog module, 
and use a long-running perl process to tail the file (using File::Tail) 
and post them to the PAN. This will likely be more performant and avoid 
the hassles of a random module interfering with FreeRADIUS.


You probably want to write a timestamp to the file, and have the 
long-running process ignore lines X old, in case it lags behind e.g. 
because it hangs, gets shutdown and restarted much later, etc.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_perl issue...

2006-07-12 Thread Nikola Pavkovic

Hi all,

I'm expiriencing strange behaviour of rlm_perl module causing freeradius
be unable to start. Here is the output of `freeradius -X` (running on Debian 
Sarge
i386, freeradius version 1.1.2):

# freeradius -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/freeradius/proxy.conf
Config:   including file: /etc/freeradius/clients.conf
Config:   including file: /etc/freeradius/snmp.conf
Config:   including file: /etc/freeradius/eap.conf
Config:   including file: /etc/freeradius/sql.conf
 main: prefix = /usr
 main: localstatedir = /var
 main: logdir = /var/log/freeradius
 main: libdir = /usr/lib/freeradius
 main: radacctdir = /var/log/freeradius/radacct
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = /var/log/freeradius/radius.log
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = /var/run/freeradius/freeradius.pid
 main: user = freerad
 main: group = freerad
 main: usercollide = no
 main: lower_user = no
 main: lower_pass = no
 main: nospace_user = no
 main: nospace_pass = no
 main: checkrad = /usr/sbin/checkrad
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec 
 exec: wait = yes
 exec: program = (null)
 exec: input_pairs = request
 exec: output_pairs = (null)
 exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec) 
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded perl 
 perl: module = /root/bin/mymodule.pm
 perl: func_authorize = authorize
 perl: func_authenticate = authenticate
 perl: func_accounting = accounting
 perl: func_preacct = preacct
 perl: func_checksimul = checksimul
 perl: func_detach = detach
 perl: func_xlat = xlat
 perl: func_pre_proxy = pre_proxy
 perl: func_post_proxy = post_proxy
 perl: func_post_auth = post_auth
 perl: perl_flags = (null)
 perl: func_start_accounting = (null)
 perl: func_stop_accounting = (null)
Can't load '/usr/lib/perl/5.8/auto/Data/Dumper/Dumper.so' for module 
Data::Dumper: /usr/lib/perl/5.8/auto/Data/Dumper/Dumper.so: undefined symbol: 
Perl_sv_cmp at /usr/lib/perl/5.8/XSLoader.pm line 68.
 at /usr/lib/perl/5.8/Data/Dumper.pm line 27
Compilation failed in require at /root/bin/mymodule.pm line 30.
BEGIN failed--compilation aborted at /root/bin/mymodule.pm line 30.
rlm_perl: perl_parse failed: /root/bin/mymodule.pm not found or has syntax 
errors.  
radiusd.conf[540]: perl: Module instantiation failed. 
radiusd.conf[1747] Unknown module perl.
radiusd.conf[1746] Failed to parse authenticate section. 

If I comment out the use Data::Dumper; line, freeradius starts ok, but then 
it does
not send any attributes back to the Cisco AS5300, but only Access-Accept (or 
Access-Reject).

Are there any ideas where could be the problem with loading the Data::Dumper 
module (since I assume
that not sending the attributes back is caused by commenting out the use 
Data::Dumper; line)?

Thanks in advance.

Sincerely,
  Nikola Pavkovic
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl issue...

2006-07-12 Thread Boian Jordanov

On Wednesday 12 July 2006 13:03, Nikola Pavkovic wrote:
 Hi all,

 I'm expiriencing strange behaviour of rlm_perl module causing freeradius
 be unable to start. Here is the output of `freeradius -X` (running on
 Debian Sarge i386, freeradius version 1.1.2):


 If I comment out the use Data::Dumper; line, freeradius starts ok, but
 then it does not send any attributes back to the Cisco AS5300, but only
 Access-Accept (or Access-Reject).

Data::Dumper is used to dump data structures and have nothing to do with 
attributes send back from radius.
See http://wiki.freeradius.org/index.php/Rlm_perl for more information.

 Are there any ideas where could be the problem with loading the
 Data::Dumper module (since I assume that not sending the attributes back is
 caused by commenting out the use Data::Dumper; line)?


 Thanks in advance.

 Sincerely,
Nikola Pavkovic
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-- 
Best Regards,
Boian Jordanov
SNE
Orbitel - Next Generation Telecom
tel. +359 2 4004 723
tel. +359 2 4004 002
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl issue...

2006-07-12 Thread Nikola Pavkovic

On Wed, Jul 12, 2006 at 01:34:52PM +0300, Boian Jordanov wrote:
 On Wednesday 12 July 2006 13:03, Nikola Pavkovic wrote:
  Hi all,
 
  ...
 Data::Dumper is used to dump data structures and have nothing to do with 
 attributes send back from radius.
 See http://wiki.freeradius.org/index.php/Rlm_perl for more information.
 

Boian, tnx for your reply. I will look at the configuration a little
more and try to find out what is causing the problem.

Sincerely,
Nikola Pavkovic
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_perl issue

Re: rlm_perl issue

rlm_perl issue...

Re: rlm_perl issue...

Re: rlm_perl issue...

5 matches

Site Navigation

Mail list logo

Footer information