Re: Exec-Program-Wait problem
Thank you for your reply,
to make it more precise, I'm trying to execute a script that checks the
users accounting (hours and minutes generated from radiusreport tool). And
when the users passes his limit he is then blocked access.
The exec module allows only this syntax: Attribute-Name =
`%{exec:/etc/freeradius/somescript}`,
(this is passed as an AV pair to the client/nas, the freeradius is running
as freerad user not root).
how can I make this happen with this syntax?
Thanks in advance.
Alan DeKok-2 wrote:
enid wrote:
DEFAULT Simultaneous-Use := 1
Idle-Timeout = 600,
Session-Timeout = 5400,
Framed-IP-Address = 255.255.255.254,
Framed-Compression = Van-Jacobson-TCP-IP,
Exec-Program-Wait = /etc/freeradius/somescript,
Fall-Through = Yes
but I want that the output of it to append to the AV pair reply that
goes
back to the client. So I have the problem that when the script is
executed,
its output doesn't append to the AV pair reply. (For example:
Reply-Message=Email Only Account)
I can post here my configuration files, if you tell me which.
Use the exec module instead. It gives you a much more fine-grained
control over the behavior of the program.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
View this message in context:
http://www.nabble.com/Exec-Program-Wait-problem-tp23161038p23171482.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait problem
enid wrote:
to make it more precise, I'm trying to execute a script that checks the
users accounting (hours and minutes generated from radiusreport tool). And
when the users passes his limit he is then blocked access.
The exec module can do that.
The exec module allows only this syntax: Attribute-Name =
`%{exec:/etc/freeradius/somescript}`,
No.
Go back and read raddb/modules/echo
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program problem
Nirmal wrote: ... Wed Apr 22 17:05:03 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22 17:05:03 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error ... #/bin/bash You can't run that program from a shell prompt, either. You have a typo. It should be: #!/bin/bash Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program problem
Thanks man, done. --- On Wed, 4/22/09, Alan DeKok al...@deployingradius.com wrote: From: Alan DeKok al...@deployingradius.com Subject: Re: Exec-Program problem To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Wednesday, April 22, 2009, 5:25 PM Nirmal wrote: ... Wed Apr 22 17:05:03 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22 17:05:03 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error ... #/bin/bash You can't run that program from a shell prompt, either. You have a typo. It should be: #!/bin/bash Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program problem
changed permission of /etc/raddb/mac_entries
now getting wrong format error.
Wed Apr 22 17:21:27 2009 : Auth: Login OK: [spark] (from client localhost port
0 cli 00:19:D1:4A:53:F8)
Wed Apr 22 17:21:27 2009 : Info: +- entering group post-auth {...}
Wed Apr 22 17:21:27 2009 : Info: [exec] expand: %u - spark
Wed Apr 22 17:21:27 2009 : Info: [exec] expand: %i - 00:19:D1:4A:53:F8
Wed Apr 22 17:21:27 2009 : Debug: Exec-Program output: Wed Apr 22 17:21:27 2009
: Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error
Wed Apr 22 17:21:27 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22
17:21:27 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec
format error
Wed Apr 22 17:21:27 2009 : Debug: Exec-Program: returned: 1
in my previous version i was using the same format.
++--+---++-+
| id | username | attribute | op | value |
++--+---++-+
| 1 | spark | Exec-Program-Wait | := | /etc/raddb/getmac %u %i |
++--+---++-+
where to check syntax for exec-program ?
--- On Wed, 4/22/09, Nirmal nirmal_...@yahoo.com wrote:
From: Nirmal nirmal_...@yahoo.com
Subject: Exec-Program problem
To: freeradius users freeradius-users@lists.freeradius.org
Date: Wednesday, April 22, 2009, 5:11 PM
Hi,
I am running freeradius-server-2.1.1-7.
++--+---++-+
| id | username | attribute | op | value |
++--+---++-+
| 1 | spark | Exec-Program-Wait | := | /etc/raddb/getmac %u %i |
++--+---++-+
radisud -XX -d /etc/raddb/
Wed Apr 22 17:05:03 2009 : Auth: Login OK: [spark] (from client localhost port
2 cli 00:19:D1:4A:53:F8)
Wed Apr 22 17:05:03 2009 : Info: +- entering group post-auth {...}
Wed Apr 22 17:05:03 2009 : Info: [exec] expand: %u - spark
Wed Apr 22 17:05:03 2009 : Info: [exec] expand: %i - 00:19:D1:4A:53:F8
Wed Apr 22 17:05:03 2009 : Debug: Exec-Program output: Wed Apr 22 17:05:03 2009
: Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error
Wed Apr 22 17:05:03 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22
17:05:03 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec
format error
Wed Apr 22 17:05:03 2009 : Debug: Exec-Program: returned: 1
Wed Apr 22 17:05:03 2009 : Info: [exec] Login incorrect (external check said so)
Wed Apr 22 17:05:03 2009 : Info: ++[exec] returns reject
Wed Apr 22 17:05:03 2009 : Info: Delaying reject of request 1 for 1 seconds
file /etc/raddb/getmac contains following with execute+radiusd permission
#/bin/bash
echo $1 --- $2 - done /etc/raddb/mac_entries
What could be wrong?
Nirmal Patel | Mumbai
-Inline Attachment Follows-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait problem
enid wrote: DEFAULT Simultaneous-Use := 1 Idle-Timeout = 600, Session-Timeout = 5400, Framed-IP-Address = 255.255.255.254, Framed-Compression = Van-Jacobson-TCP-IP, Exec-Program-Wait = /etc/freeradius/somescript, Fall-Through = Yes but I want that the output of it to append to the AV pair reply that goes back to the client. So I have the problem that when the script is executed, its output doesn't append to the AV pair reply. (For example: Reply-Message=Email Only Account) I can post here my configuration files, if you tell me which. Use the exec module instead. It gives you a much more fine-grained control over the behavior of the program. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait w/ FreeRADIUS 2.1.3
I'm having trouble getting FreeRADIUS to run programs called by Exec-Program-Wait in the newest version of FreeRADIUS (version 2.1.3). I'm using a custom C script that used to work with all versions of FreeRADIUS prior to version 2. Read comments in exec module configuration file (raddb/modules/exec). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait w/ FreeRADIUS 2.1.3
Replying to myself... I missed uncommenting exec from the post-auth section of default site. Everything is working now. Sorry for the wasting your valuable mailbox space. Jeremiah - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait and FreeRadius 2.1.1
Michael Schramm wrote: we're about to migrate from Freeradius 0.9 to 2.1. During this we're noticed, that the Atribute Exec-Progam-Wait and Exec-Program are deprecated. We used this feature to start a script (which generates special Cisco AV-Pairs). They still work in 2.x. Now my Problem is that the attributes doesn't work. If you list exec in the post-auth section, then they work. This configuration is in the default configuration files in 2.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program in acct_users file
Anton Borisov wrote: I used Start and Stop in accounting for some DNS registrations of my clients, like this: ~# cat acct_users ... ... DEFAULT Realm == 'dyndns', Acct-Status-Type == Start, Acct-Type := BILL ... and this works in 1.1.7 ! But for 2.1.1 - this does not work. You need to list the exec module in the post-auth section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program in acct_users file
Thank you for your reply.
Yes, yes.
I have uncommented exec in post-auth section in
/etc/raddb/sites-enabled/default config.
So, another way in 2.1.1 - I've configured this program only with
accounting module.
Some examples:
/etc/raddb/sites-enabled/default
accounting {
...
...
Acct-Type BILL {
if ( Acct-Status-Type =~ /Start|Stop/ ) {
dns
}
}
...
cat /etc/raddb/modules/exec
...
...
exec dns {
wait = yes
program = /path-to-my-programm.sh
input_pairs = request
output_pairs = reply
}
This is working, but more quickly and easily only add Exec-Programm to
acct_users (like in 1.7.7 version)
Would you be so kind and give some examples for acct_usrs in 2.1.1?
Alan DeKok wrote:
Anton Borisov wrote:
I used Start and Stop in accounting for some DNS registrations of my
clients, like this:
~# cat acct_users
...
...
DEFAULT Realm == 'dyndns', Acct-Status-Type == Start, Acct-Type
:= BILL
...
and this works in 1.1.7 !
But for 2.1.1 - this does not work.
You need to list the exec module in the post-auth section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Yours faithfully,
Anton Borisov.
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program in acct_users file
I'm using FR 1.1.7 with acct_users but what if you have more complicated
scripts and you're using it on Interim-Updates. Every time when
Interim-Update triggers, this script has to connect to do something
(database connection, do this, do that )...
Is there any other way to something like this?
On Tue, Dec 23, 2008 at 11:48 AM, Anton Borisov anto...@mccinet.ru wrote:
Thank you for your reply.
Yes, yes.
I have uncommented exec in post-auth section in
/etc/raddb/sites-enabled/default config.
So, another way in 2.1.1 - I've configured this program only with
accounting module.
Some examples:
/etc/raddb/sites-enabled/default
accounting {
...
...
Acct-Type BILL {
if ( Acct-Status-Type =~ /Start|Stop/ ) {
dns
}
}
...
cat /etc/raddb/modules/exec
...
...
exec dns {
wait = yes
program = /path-to-my-programm.sh
input_pairs = request
output_pairs = reply
}
This is working, but more quickly and easily only add Exec-Programm to
acct_users (like in 1.7.7 version)
Would you be so kind and give some examples for acct_usrs in 2.1.1?
Alan DeKok wrote:
Anton Borisov wrote:
I used Start and Stop in accounting for some DNS registrations of my
clients, like this:
~# cat acct_users
...
...
DEFAULT Realm == 'dyndns', Acct-Status-Type == Start, Acct-Type
:= BILL
...
and this works in 1.1.7 !
But for 2.1.1 - this does not work.
You need to list the exec module in the post-auth section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Yours faithfully,
Anton Borisov.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec program, but post-auth
So radius *is* assigning IP's? Where? If it's ippool/sqlippool list your exec program after these in post-auth section. If IP's are assigned by DHCP you have to get it from accounting packets. But that will work for radius assigned IP's too. Ivan Kalik Kalik Informatika ISP Dana 4/11/2008, Alexandre J. Correa - Onda Internet [EMAIL PROTECTED] piše: auth are working fine... but i need execute one script after auth OK to get the IP that radius assigned to user, have any idea how i can do this ?! thanks !!! [EMAIL PROTECTED] wrote: Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? If radius is not assigning IP's NAS will send them in accounting packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec program, but post-auth
Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? If radius is not assigning IP's NAS will send them in accounting packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec program, but post-auth
auth are working fine... but i need execute one script after auth OK to get the IP that radius assigned to user, have any idea how i can do this ?! thanks !!! [EMAIL PROTECTED] wrote: Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? If radius is not assigning IP's NAS will send them in accounting packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec program, but post-auth
Huh? Ivan gave you the answer already. Read it again and then look into what accounting packets are. Sent from my iPhone On 4 Nov 2008, at 02:06, Alexandre J. Correa - Onda Internet [EMAIL PROTECTED] wrote: auth are working fine... but i need execute one script after auth OK to get the IP that radius assigned to user, have any idea how i can do this ?! thanks !!! [EMAIL PROTECTED] wrote: Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? If radius is not assigning IP's NAS will send them in accounting packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait problem with freeradius 2.0.3
Emmanuel Willems wrote: Thank you for your feedback and sorry for the confusion. The program is being executed and returning the correct result, but I still can't authenticate. So... read the debug log, and fix all of the WARNINGs, errors, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait problem with freeradius 2.0.3
Emmanuel Willems wrote: Here is a relevant part of the debug log: ... Tue Apr 15 14:36:27 2008 : Auth: Login OK: [000d2885af3e/000d2885af3e] (from client wlan-sen port 737 cli 000d.2885.af3e) Tue Apr 15 14:36:27 2008 : Debug: +- entering group post-auth Tue Apr 15 14:36:27 2008 : Debug: modsingle[post-auth]: calling exec (rlm_exec) for request 0 Tue Apr 15 14:36:28 2008 : Debug: Exec-Program output: Tue Apr 15 14:36:28 2008 : Debug: Exec-Program: returned: 0 What's the problem? It's calling your program. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait problem with freeradius 2.0.3
Thank you for your feedback and sorry for the confusion. The program is being executed and returning the correct result, but I still can't authenticate. I'm using EAP-TTLS-PAP to connect to a Cisco Aironet AP1200. Using the same sql db in freeradius 1.1.3 it works, but not with freeradius 2.0.3. Any suggestions, Emmanuel Alan DeKok wrote: Emmanuel Willems wrote: Here is a relevant part of the debug log: ... Tue Apr 15 14:36:27 2008 : Auth: Login OK: [000d2885af3e/000d2885af3e] (from client wlan-sen port 737 cli 000d.2885.af3e) Tue Apr 15 14:36:27 2008 : Debug: +- entering group post-auth Tue Apr 15 14:36:27 2008 : Debug: modsingle[post-auth]: calling exec (rlm_exec) for request 0 Tue Apr 15 14:36:28 2008 : Debug: Exec-Program output: Tue Apr 15 14:36:28 2008 : Debug: Exec-Program: returned: 0 What's the problem? It's calling your program. Alan DeKok. -- Ingnieur-systme Systeem ingenieur System engineer Snat de Belgique Place de la Nation 1 1009 Bruxelles Belgische Senaat Natieplein 1 1009 Brussel Belgian Senate Place de la Nation 1 1009 Brussels Belgium e-mail: [EMAIL PROTECTED] URL: http://www.senate.be tel: +32 (2) 501.72.39 fax: +32 (2) 514.06.85 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait problem with freeradius 2.0.3
I added exec in post-auth in sites-enabled/default and sites-enabled/inner-tunnel and it's still no go. Did i miss something? Thankx, Emmanuel Alan DeKok wrote: Emmanuel Willems wrote: All works well in version 1.1.3 but the script does not get called in version 2.0.3 List 'exec' in the post-auth section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait problem with freeradius 2.0.3
Emmanuel Willems wrote: I added exec in post-auth in sites-enabled/default and sites-enabled/inner-tunnel and it's still no go. Did i miss something? Debug log? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait problem with freeradius 2.0.3
Emmanuel Willems wrote: All works well in version 1.1.3 but the script does not get called in version 2.0.3 List 'exec' in the post-auth section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Felipe Ceglia - PY1NB wrote:
I am trying to setup a prepaid style system on my freeradius. All I
want is to check user name against a perl script that will let user get
in or not.
You should use rlm_perl rather than Exec-Program-Wait
I put this on users file, but the script is not being run:
DEFAULT Called-Station-Id == hotspot_shop_tere #THIS IS LINE 155
Exec-Program-Wait = /etc/raddb/scripts/hotspot_shop_tere.pl %U,
You will need to add Auth-Type := Accept to the first line (with DEFAULT).
DEFAULT Called-Station-Id == hotspot_shop_tere, Acct-Status-Type == Stop
Exec-Program-Wait = /etc/raddb/scripts/hotspot_shop_tere.pl %U
%{AcctSessionTime},
This entry should go into the acct_users file, not the users file.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program based on LDAP Attribute
John Wever wrote:
DEFAULT Acct-Status-Type == Start, CustomAttrib == true
That *matches* the Custom Attribute. Is that what you want?
Exec-Program = /path/to/script.sh %u %{Framed-IP-Address}
%{CustomAttrib}
I've tried setting the ItemType of the CustomAttrib to checkItem and
replyItem, but neither method worked. My script needs access to the
username and the Framed-IP-Address.
Any suggestions?
Read doc/variables.txt to see how to refer to attributes in the reply
or check item list.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program based on LDAP Attribute
Yes, thats exactly what I want, but the script is never fired. It is my
understanding that the acct_users file only sees accounting packet data,
if the CustomAttrib is a checkItem would it even be available to query
at this point?
Just as info, I take off the , CustomAttrib == true and the script
fires as expected for all authenticated users.
Alan DeKok wrote:
John Wever wrote:
DEFAULT Acct-Status-Type == Start, CustomAttrib == true
That *matches* the Custom Attribute. Is that what you want?
Exec-Program = /path/to/script.sh %u %{Framed-IP-Address}
%{CustomAttrib}
I've tried setting the ItemType of the CustomAttrib to checkItem and
replyItem, but neither method worked. My script needs access to the
username and the Framed-IP-Address.
Any suggestions?
Read doc/variables.txt to see how to refer to attributes in the reply
or check item list.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program based on LDAP Attribute
John Wever wrote: Yes, thats exactly what I want, but the script is never fired. It is my understanding that the acct_users file only sees accounting packet data, Yes. if the CustomAttrib is a checkItem would it even be available to query at this point? The acct_users file can't do comparisons on check items. So what you're trying to do is impossible in 1.x. See CVS head and unlang for how to do this easily. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Michael Alexeev wrote: I found it on the following site: http://ftp.wayne.edu/pub/gnu/Manuals/radius-0.95/html_node/radius_182.html Which is the manual for the GNU radius server. There was never a 0.95 release of FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
What led you to believe %C{User-Name} would be the user name? The
documentation says it's %{User-Name}. Where did the extra 'C' come from?
I found it on the following site:
http://ftp.wayne.edu/pub/gnu/Manuals/radius-0.95/html_node/radius_182.html
quote
Example
Suppose the `users' file contains the following entry:
DEFAULT Auth-Type = System,
Simultaneous-Use = 1
Exec-Program-Wait = /usr/local/sbin/telauth \
%C{User-Name} \
%C{Calling-Station-Id}
Then, upon successful matching, the program `/usr/local/sbin/telauth'
will be executed. It will get as its arguments the values of User-Name
and Calling-Station-Id attributes from the request pairs.
end of quote
Anyway, after removing the extra 'C' evrything works like fine. Thanks
for the help.
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
On Mon 25 Jun 2007, Michael Alexeev wrote:
What led you to believe %C{User-Name} would be the user name? The
documentation says it's %{User-Name}. Where did the extra 'C' come
from?
I found it on the following site:
http://ftp.wayne.edu/pub/gnu/Manuals/radius-0.95/html_node/radius_182.html
Which, if you read the title is the GNU Radius Manual, not the FreeRADIUS
Manual. You will probably have better luck if you read docs for the
software you are using ;-)
Cheers
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Michael Alexeev wrote:
Hi all,
I am having trouble with macro substitution in Exec-Program-Wait
attribute. For some reason %C{User-Name} is expanded to
localhost{User-Name} string instead of real user name.
Because %C is documented as being the client name.
What led you to believe %C{User-Name} would be the user name? The
documentation says it's %{User-Name}. Where did the extra 'C' come from?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Felipe Ceglia - PY1NB wrote: When I run it thru users file, it is called, and works. You put it in the reply list in the users file, and the check table in the SQL database. Put it in the reply tble in the SQL database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait to send back AV pairs to freeradius
Shankar Ganesh C [EMAIL PROTECTED] wrote: Below is the code i am trying in the exec-program-wait putenv(Calling-Station-ID=10) That is not the documented way to send attributes back to the server. See scripts/exec-program-wait I am trying to set the accounting response packets with this value pairs in the rad_accounting using pairmove but still my accounting response packets does not contain this attributes value pairs. Accounting responses are not allowed to contain any attributes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: exec-program dependent on ldap attribute values
Tariq Rashid [EMAIL PROTECTED] wrote:
I would like however for the script to be called only when an LDAP attribute
has a certain values. Is this possible? The user's LDAP profile has already
been searched for the user's password in the initial auth request, and
possibly in the acct request.
something like the following does not work:
DEFAULT Acct-Status-Type == Start, Account-Status == inactive
Exec-Program = /etc/freeradius/scripts/acct_start.py %{User-Name}
where Account-Status is mapped to the LDAP attribute in the ldap-attrmap
file.
Probably because Account-Status is a check item, and not in the
request. It will have to go into the request for it to be compared in
the acct_users file.
Alan DeKok.
---
so must it be added to the request artificially before the comparision happens?
i'm not sure what the recommended what to achieve this is...
tariq
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program dependent on ldap attribute values
Tariq Rashid [EMAIL PROTECTED] wrote:
I would like however for the script to be called only when an LDAP attribute
has a certain values. Is this possible? The user's LDAP profile has already
been searched for the user's password in the initial auth request, and
possibly in the acct request.
something like the following does not work:
DEFAULT Acct-Status-Type == Start, Account-Status == inactive
Exec-Program = /etc/freeradius/scripts/acct_start.py %{User-Name}
where Account-Status is mapped to the LDAP attribute in the ldap-attrmap
file.
Probably because Account-Status is a check item, and not in the
request. It will have to go into the request for it to be compared in
the acct_users file.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and length of arguments
Anton Maksimenkov wrote:
If I add to users file this:
When I used exec-program all the attributes I wanted were in the
environment.
And how can I exploit it? I get only this:
--
$ cat /home/engineer/acrad.sh
#!/bin/sh
printenv /tmp/exec-program-wait
--
bob Auth-Type := Local, User-Password == bob
Reply-Message = Hello, %u,
Exec-Program = /home/engineer/acrad.sh
--
after radtest in /tmp/exec-program-wait I found only
$ cat /tmp/exec-program-wait
CLIENT_IP_ADDRESS=127.0.0.1
NAS_IP_ADDRESS=255.255.255.255
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin
NAS_PORT=0
USER_PASSWORD=bob
USER_NAME=bob
See? Its working perfectly. Your radtest caused the above.
But this is far less than what I wait for... I need to do the same
that SQL accounting do.
Your radtest DOES NOT cause accounting requests to occur as well.
If I look at raddb/pgsql-voip.conf, I can see
snip
I read this. But I just newbie, sorry. I tried this
exec echo {
wait = yes
program = /home/engineer/acrad.sh %{User-Name}
input_pairs = request
output_pairs = reply
}
instantiate {
exec
...
but it seems that program not started at all.
packet_type = Accounting-Request
And make sure you instantiate the echo instance of the exec module
under the radiusd accounting section
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and length of arguments
If I add to users file this:
When I used exec-program all the attributes I wanted were in the
environment.
And how can I exploit it? I get only this:
--
$ cat /home/engineer/acrad.sh
#!/bin/sh
printenv /tmp/exec-program-wait
--
bob Auth-Type := Local, User-Password == bob
Reply-Message = Hello, %u,
Exec-Program = /home/engineer/acrad.sh
--
after radtest in /tmp/exec-program-wait I found only
$ cat /tmp/exec-program-wait
CLIENT_IP_ADDRESS=127.0.0.1
NAS_IP_ADDRESS=255.255.255.255
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin
NAS_PORT=0
USER_PASSWORD=bob
USER_NAME=bob
But this is far less than what I wait for... I need to do the same
that SQL accounting do. If I look at raddb/pgsql-voip.conf, I can see
the pretty accounting_stop_query, which put many interestiong info to
database. I think it can put all the
%{User-Name} : %{Service-Type} : %{Acct-Status-Type} :
%{Acct-Session-Id} : %{Framed-Protocol} : %{NAS-Identifier} :
%{NAS-Port-Id} : %{NAS-IP-Address} : %{Calling-Station-Id} :
%{Called-Station-Id} : %{Framed-IP-Address} : %{Acct-Input-Octets} :
%{Acct-Output-Octets} : %{Acct-Input-Packets} : %{Acct-Output-Packets}
: %{Acct-Session-Time} : %{Acct-Terminate-Cause}
Am I right?
So, how can I do the same, but with perl/shell script (e.g. pass all
this variables as arguments or environment) ?
From radiusd.conf
#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# config attributes from the
configuration items list
# reply attributes from the reply
# proxy-request attributes from the proxy request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
I read this. But I just newbie, sorry. I tried this
exec echo {
wait = yes
program = /home/engineer/acrad.sh %{User-Name}
input_pairs = request
output_pairs = reply
}
instantiate {
exec
...
but it seems that program not started at all.
--
engineer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec program debugging.
Eliot, Wireless and Server Administrator,
Great Lakes Internet [EMAIL PROTECTED] wrote:
I am trying to execute a program in the post-proxy section on
Access-Accept packets to bring up bandwidth management for a user when
they log in:
(radiusd.conf)
exec bwup {
...
post-proxy {
...
exec
List bwup, not exec.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program
Priscilla B [EMAIL PROTECTED] wrote: Do we have to make our own file for this Exec-Program Yes. It's a program, like a shell script. Or if not, can someone give me an example of this file? scripts/exec-program-wait Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait multiple reply items
I had a similar problem with an exec script (Freeradius 1.0.5) I found that when the script outputs several comma separated pairs it works fine. I don't know any workaround, other than modifying the script to separate pairs with comma instead of \n. On Sat, 7 Jan 2006 20:21:43 UT, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello, I have recently migrated to freeradius (latest stable on debian sarge - 1.0.2-4) and faced with the following problem: I use Exec-Program-Wait attribute as a reply item in users file. It returns 3 attributes: NAS-Identifier, Framed-IP-Address and Framed-Route. These attributes are printed on stdout with trailing \n. However they are not returned to the NAS as are not comma separated. Is there any known workaround for this problem? Thanks in advance. Best Regards, George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait multiple reply items
Hello, I have recently migrated to freeradius (latest stable on debian sarge - 1.0.2-4) and faced with the following problem: I use Exec-Program-Wait attribute as a reply item in users file. It returns 3 attributes: NAS-Identifier, Framed-IP-Address and Framed-Route. These attributes are printed on stdout with trailing \n. However they are not returned to the NAS as are not comma separated. Is there any known workaround for this problem? Thanks in advance. There was a thread about this in the end of December. I believe you have to return the attributes comma seperated, like in the users file. Instead of something like printf Some-Attribute = Somevalue\nAnother-Attribute = Anothervalue\n It should be printf Some-Attribute = Somevalue, Another-Attribute = Anothervalue\n If that doesn't work, please show your debug (radius -X). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait multiple reply items
Dusty Doris wrote: Hello, I have recently migrated to freeradius (latest stable on debian sarge - 1.0.2-4) and faced with the following problem: I use Exec-Program-Wait attribute as a reply item in users file. It returns 3 attributes: NAS-Identifier, Framed-IP-Address and Framed-Route. These attributes are printed on stdout with trailing \n. However they are not returned to the NAS as are not comma separated. Is there any known workaround for this problem? Thanks in advance. There was a thread about this in the end of December. I believe you have to return the attributes comma seperated, like in the users file. Instead of something like printf Some-Attribute = Somevalue\nAnother-Attribute = Anothervalue\n It should be printf Some-Attribute = Somevalue, Another-Attribute = Anothervalue\n If that doesn't work, please show your debug (radius -X). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks to all who replied to my question. I knew I forgot something, now I know - search the archives :-) Always suggested others to do so and it happened with me. The solution seems to be replacing \n -s by commas as adviced here and in the archives, but there is a piese of code in exec.c which replaces \n-s with commas. I thought it handles situations where multiple items are returned delimited by \n-s, but I was wrong. Perhaps I have to learn the code further. Best Regards, George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait vs rlm_exec vs rlm_your own
Doug Hardie [EMAIL PROTECTED] wrote: Recently I took a more detailed look at rlm_example and decided to give that approach a try. Its actually quite easy to convert an Exec- Program-Wait into a rlm_. Some of the steps are not obvious and the really difficult part is figuring out what you need to do to get configure to work properly. Don't use configure. Some FreeRADIUS modules don't use it. It's not necessary for your own modules on your own system. Just create a Makefile, and it will work. Hence, I would suggest that rather than push the rlm_exec as the replacement for Exec-Program-Wait, that creating your own rlm_ would be a better approach. Sure, but not everyone is comfortable with C code. There are no real instructions for creating your own rlm that I could find. However, the experience is still fresh and if you are interested I could put together a first draft of instructions on creating a rlm. Sure. We'll make it the man page for rlm_example. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait: plaintext:
Americatel Centroamerica [EMAIL PROTECTED] wrote: Hi, i have two servers with diferent versions of freeradius, one with 0.9 and another with 1.0.1. I have an Exec-Program-Wait perl script configured to add some attributes to the reply, all is working flawlessly on the 0.9, but the same script doesnt work on the 1.0 server, the output items of the script dont appear on the reply items, this is the debug output on the server with 1.0 Put commas after the attribute values, like in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait: plaintext:
--- Alan DeKok [EMAIL PROTECTED] wrote: Put commas after the attribute values, like in the users file. Alan DeKok. That did the trick, thanks Alan Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Alex Moreno [EMAIL PROTECTED] wrote: Is Exec-Program-Wait a variable in a configuration file? Which one if it is? doc/README Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait vs rlm_exec
On Thu, May 05, 2005 at 08:22:44AM -0600, [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: On Tue, May 03, 2005 at 10:23:05AM -0600, [EMAIL PROTECTED] wrote: Hi, what do you consider the best solution wheen you need to run an external program to make aditional checks when an access request in received, exec-program-wait or rlm_exec, im using exec-program-wait, sould i use rlm_exec instead, the script check some item like credit amount and returns 0 or 1 if success or fail , thanks I like rlm_exec because it gives you more control over _where_ the execution happens, and also you can have more than one, and control the output attribute's destination and (with the eventual 1.1.0 release) you can control the quoting of the environment variables and actually get to return an RLM_-type result so it can participate in failover. And exec-program-wait is deprecated. ^_^ deprecated ?, Ok, i must have to pay more atention to the mailling list, In my config, i run diferent scripts depending on the group of the username (table usergroup), can be this be done using rlm_exec?, you can point me on some docuemtation on the options of rlm_exec, i cant found anything on the web. The exec echo example is very basic, I do this with Post-Auth-Type. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Exec-Program-Wait vs rlm_exec
[EMAIL PROTECTED] wrote: On Thu, May 05, 2005 at 08:22:44AM -0600, [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: On Tue, May 03, 2005 at 10:23:05AM -0600, [EMAIL PROTECTED] wrote: Hi, what do you consider the best solution wheen you need to run an external program to make aditional checks when an access request in received, exec-program-wait or rlm_exec, im using exec-program-wait, sould i use rlm_exec instead, the script check some item like credit amount and returns 0 or 1 if success or fail , thanks I do this with Post-Auth-Type. How do you filter by groupname? I check the groupname vs the radgroupreply, everygroup has diferent Exec-Program-Wait. --- Miguel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Exec-Program-Wait vs rlm_exec
[EMAIL PROTECTED] wrote: On Tue, May 03, 2005 at 10:23:05AM -0600, [EMAIL PROTECTED] wrote: Hi, what do you consider the best solution wheen you need to run an external program to make aditional checks when an access request in received, exec-program-wait or rlm_exec, im using exec-program-wait, sould i use rlm_exec instead, the script check some item like credit amount and returns 0 or 1 if success or fail , thanks I like rlm_exec because it gives you more control over _where_ the execution happens, and also you can have more than one, and control the output attribute's destination and (with the eventual 1.1.0 release) you can control the quoting of the environment variables and actually get to return an RLM_-type result so it can participate in failover. And exec-program-wait is deprecated. ^_^ deprecated ?, Ok, i must have to pay more atention to the mailling list, In my config, i run diferent scripts depending on the group of the username (table usergroup), can be this be done using rlm_exec?, you can point me on some docuemtation on the options of rlm_exec, i cant found anything on the web. The exec echo example is very basic, thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait vs rlm_exec
[EMAIL PROTECTED] wrote: you can point me on some docuemtation on the options of rlm_exec, i cant found anything on the web. The exec echo example is very basic, The rest of radiusd.conf contains more documentation about rlm_exec. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait vs rlm_exec
On Tue, May 03, 2005 at 10:23:05AM -0600, [EMAIL PROTECTED] wrote: Hi, what do you consider the best solution wheen you need to run an external program to make aditional checks when an access request in received, exec-program-wait or rlm_exec, im using exec-program-wait, sould i use rlm_exec instead, the script check some item like credit amount and returns 0 or 1 if success or fail , thanks I like rlm_exec because it gives you more control over _where_ the execution happens, and also you can have more than one, and control the output attribute's destination and (with the eventual 1.1.0 release) you can control the quoting of the environment variables and actually get to return an RLM_-type result so it can participate in failover. And exec-program-wait is deprecated. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Emman S. Loloy [EMAIL PROTECTED] wrote: Is it possible for the output of Exec-Program-Wait become check item? No. See rlm_exec for that functionality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program in acct_users doesn't work
Hi, I have a problem with Accounting-script-execution in raddb/acct_users : -- DEFAULT Acct-Status-Type == Stop Exec-Program = echo PRUEBA /home/pru.txt -- I don't know if you can do it like that. You could try writing a script such as this. #!/bin/sh /bin/echo PRUEBA /home/pru.txt Or if you are intending to do something else with that, this will show you all the variables passed to it #!/bin/sh /usr/bin/printenv /home/variables.txt Then call that script instead. Exec-Program /path/to/yourscript.sh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: Exec-Program-Wait Problem
Quoting Dustin Doris [EMAIL PROTECTED]: On Sun, 16 Jan 2005, Emman S. Loloy wrote: Hi, i have a problem using Exec-Program-Wait Attribute.. any comments or suggestion how to fix this problem. here's my configuration. /tmp/checkras #!/bin/sh if [ $1 == 192.168.0.1 ] ; then exit -1 ; #fail elif [ $1 == 192.168.0.2 ]; then exit -1 ; #fail fi exit 0 ; #pass Processing the session section of radiusd.conf modcall: entering group session for request 1008 radius_xlat: 'dialup' rlm_sql (sql): sql_set_user escaped user -- 'dialup' radius_xlat: 'SELECT COUNT(*) FROM radacct WHERE UserName='dialup' AND AcctStopTime = 0' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 modcall[session]: module sql returns ok for request 1008 modcall: group session returns ok for request 1008 radius_xlat: '192.168.0.1' Exec-Program output: Exec-Program: FAILED to execute /tmp/checkras: Bad address Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute /tmp/checkras: Bad address Exec-Program: Abnormal child exit: No child processes Login incorrect (external check failed): [dilaup/foobar] (from client foobar port 125) Delaying request 1008 for 1 seconds Finished request 1008 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1006 ID 62 with timestamp 41e9f160 Sending Access-Reject of id 84 to 192.168.0.5:38613 Reply-Message := Exec-Program: FAILED to execute /tmp/checkras: Bad address\n Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1007 ID 182 with timestamp 41e9f161 Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 1008 ID 84 with timestamp 41e9f164 Nothing to do. Sleeping until we see a request. Thanks, Emman Can you run that program from the command line? yes i can run the program from the command. Also, how are you calling it, can you paste your users file entry? am just adding an attribute Exec-Program-Wait := /tmp/checkras %n to run this program. I don't use the users file entry, instead am using mySQL for may attribute entry, acctually this is working from the previous version of freeradius-1.0.1. right now am using the cvs version. don't know what is wrong my setup.. Thanks, Emman I'm not really sure what that error means, sorry I can't help more on this. Exec-Program-Wait has worked fine for me from the users file whenever I've tested it out. You do say that it works in the 1.0.1, but not in CVS. Perhaps its a bug in CVS. Sorry not much help here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: Exec-Program-Wait Problem
Quoting Dustin Doris [EMAIL PROTECTED]: On Sun, 16 Jan 2005, Emman S. Loloy wrote: Hi, i have a problem using Exec-Program-Wait Attribute.. any comments or suggestion how to fix this problem. here's my configuration. /tmp/checkras #!/bin/sh if [ $1 == 192.168.0.1 ] ; then exit -1 ; #fail elif [ $1 == 192.168.0.2 ]; then exit -1 ; #fail fi exit 0 ; #pass Processing the session section of radiusd.conf modcall: entering group session for request 1008 radius_xlat: 'dialup' rlm_sql (sql): sql_set_user escaped user -- 'dialup' radius_xlat: 'SELECT COUNT(*) FROM radacct WHERE UserName='dialup' AND AcctStopTime = 0' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 modcall[session]: module sql returns ok for request 1008 modcall: group session returns ok for request 1008 radius_xlat: '192.168.0.1' Exec-Program output: Exec-Program: FAILED to execute /tmp/checkras: Bad address Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute /tmp/checkras: Bad address Exec-Program: Abnormal child exit: No child processes Login incorrect (external check failed): [dilaup/foobar] (from client foobar port 125) Delaying request 1008 for 1 seconds Finished request 1008 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1006 ID 62 with timestamp 41e9f160 Sending Access-Reject of id 84 to 192.168.0.5:38613 Reply-Message := Exec-Program: FAILED to execute /tmp/checkras: Bad address\n Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1007 ID 182 with timestamp 41e9f161 Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 1008 ID 84 with timestamp 41e9f164 Nothing to do. Sleeping until we see a request. Thanks, Emman Can you run that program from the command line? yes i can run the program from the command. Also, how are you calling it, can you paste your users file entry? am just adding an attribute Exec-Program-Wait := /tmp/checkras %n to run this program. I don't use the users file entry, instead am using mySQL for may attribute entry, acctually this is working from the previous version of freeradius-1.0.1. right now am using the cvs version. don't know what is wrong my setup.. Thanks, Emman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ** This message was sent through GLOBALink Webmail Service. If you are a GLOBALink Internet subscriber or among its affiliates, go to http://webmail.globalink.net.ph to check emails. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait Problem
Hi I am using a MySQL DB to store the list of NAS's - if I add one to the nas table, is there a way to get Freeradius to read it without having to restart radiusd? Thanks in advance Neil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Exec-Program-Wait Problem
I found that there no way without restarting. Not sure what is difference between reloading radius and restarting radius Amit Gupta Mobile: 91-9891062552 Yahoo IM: amitguptainn MSN IM : amitguptainn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Neil Craig Sent: Monday, January 17, 2005 3:57 PM To: freeradius-users@lists.freeradius.org Subject: Re: Exec-Program-Wait Problem Hi I am using a MySQL DB to store the list of NAS's - if I add one to the nas table, is there a way to get Freeradius to read it without having to restart radiusd? Thanks in advance Neil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait Problem
On Sun, 16 Jan 2005, Emman S. Loloy wrote: Hi, i have a problem using Exec-Program-Wait Attribute.. any comments or suggestion how to fix this problem. here's my configuration. /tmp/checkras #!/bin/sh if [ $1 == 192.168.0.1 ] ; then exit -1 ; #fail elif [ $1 == 192.168.0.2 ]; then exit -1 ; #fail fi exit 0 ; #pass Processing the session section of radiusd.conf modcall: entering group session for request 1008 radius_xlat: 'dialup' rlm_sql (sql): sql_set_user escaped user -- 'dialup' radius_xlat: 'SELECT COUNT(*) FROM radacct WHERE UserName='dialup' AND AcctStopTime = 0' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 modcall[session]: module sql returns ok for request 1008 modcall: group session returns ok for request 1008 radius_xlat: '192.168.0.1' Exec-Program output: Exec-Program: FAILED to execute /tmp/checkras: Bad address Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute /tmp/checkras: Bad address Exec-Program: Abnormal child exit: No child processes Login incorrect (external check failed): [dilaup/foobar] (from client foobar port 125) Delaying request 1008 for 1 seconds Finished request 1008 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1006 ID 62 with timestamp 41e9f160 Sending Access-Reject of id 84 to 192.168.0.5:38613 Reply-Message := Exec-Program: FAILED to execute /tmp/checkras: Bad address\n Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1007 ID 182 with timestamp 41e9f161 Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 1008 ID 84 with timestamp 41e9f164 Nothing to do. Sleeping until we see a request. Thanks, Emman Can you run that program from the command line? Also, how are you calling it, can you paste your users file entry? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program
You should have something like this in radiusd.conf:
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
And you also should have something like this in radiusd.conf:
preacct {
preprocess
acct_unique
# Read the 'acct_users' file
files
}
Then the acct-users file will be processed and your scripts should be
executed.
I have this in the acct-users file and that works for me:
DEFAULT Acct-Status-Type == Start
Exec-Program = /opt/radhome/bin/acct.pl
DEFAULT Acct-Status-Type == Alive
Exec-Program = /opt/radhome/bin/acct.pl
DEFAULT Acct-Status-Type == Stop
Exec-Program = /opt/radhome/bin/acct.pl
Is there any way to put this information about the program to execute in
(start, alive, Stop) status in the MySQL DB?
_
¿Estás pensando en cambiar de coche? Todas los modelos de serie y extras en
MSN Motor. http://motor.msn.es/researchcentre/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Exec-Program
Try putting those exact 2 lines in acct_users file instead. That should make them work as intended. =) - Nathan Miller -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Mike Cisar Sent: Tuesday, December 28, 2004 12:49 PM To: freeradius-users@lists.freeradius.org Subject: Exec-Program Another simple one (hopefully)... this server is running on FreeRadius 0.9.0 (new server coming in 3 weeks will have newest version of FreeRadius, for now this version is what I have to work with). To summarize what I am trying to accomplish... - When an accounting start packet is received I need to pass that username and user's IP address to the startscript - When an accounting stop packet is received I need to pass that username and user's IP address to the stopscript With the goal of allowing the IP address (and user) access to certain resources only when they are logged in (so I will have to pass that info to the script eventually... baby steps... get freeradius to call the scripts first, then worry about perfecting them :-) ... for testing purposes, based on some vague examples I found whilst Googling, I have tried the following in the users file (below my outright deny access lines but above everything else of substance in the file). Users are able to log on and off as normal, but the scripts don't seem to trigger (running with -xx I get no errors, nor any reference to either script mentioned). DEFAULT Acct-Status-Type == Start Exec-Program = /usr/local/bin/stopscript DEFAULT Acct-Status-Type == Stop Exec-Program = /usr/local/bin/startscript The scripts are both owner/group to the radius user, have read/execute permissions, and otherwise work when executed manually when su'd to the radius user. Is there something that needs to be configured in radiusd.conf in addition for this to work, perhaps some compile-time option? I get the impression that the above method may have been superceded by doing such things via exec stanzas in radiusd.conf, but I wasn't able to Google up any examples of that particular scenario that were a close enough fit to what I am trying to do. Any examples, pointers to docs, hints or other means to that end, in whatever manner is currently accepted as being preferred are appreciated. Thanks, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program
Mike Cisar wrote:
DEFAULT Acct-Status-Type == Start
Exec-Program = /usr/local/bin/stopscript
DEFAULT Acct-Status-Type == Stop
Exec-Program = /usr/local/bin/startscript
I get the impression that the above method may have been superceded
by doing such things via exec stanzas in radiusd.conf, but I wasn't
able to Google up any examples of that particular scenario that were
a close enough fit to
what I am trying to do.
You should have something like this in radiusd.conf:
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
And you also should have something like this in radiusd.conf:
preacct {
preprocess
acct_unique
# Read the 'acct_users' file
files
}
Then the acct-users file will be processed and your scripts should be
executed.
I have this in the acct-users file and that works for me:
DEFAULT Acct-Status-Type == Start
Exec-Program = /opt/radhome/bin/acct.pl
DEFAULT Acct-Status-Type == Alive
Exec-Program = /opt/radhome/bin/acct.pl
DEFAULT Acct-Status-Type == Stop
Exec-Program = /opt/radhome/bin/acct.pl
--
Regards,
Thor Spruyt
E: [EMAIL PROTECTED]
W: www.thor-spruyt.com
M: +32 (0)475 67 22 65
Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt -
Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot
service op www.telenet.be/hotspots
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Exec-Program
Try putting those exact 2 lines in acct_users file instead. That should make them work as intended. =) ooo you mean that little config file there hidden right at the start of the ls DOH!!! :-) Thanks to both you and Thor for that solution. The scripts seem to be triggering ok now, but am getting the following in radius.log... appears to be once for each time the script gets called... Tue Dec 28 16:14:12 2004 : Error: Thread 2 failed waiting for semaphore: Interrupted system call: Exiting However, I've found an old message in the archives from Thor which I believe addresses that particular issue. Cheers, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nate M Sent: Tuesday, December 28, 2004 2:20 PM To: freeradius-users@lists.freeradius.org Subject: RE: Exec-Program Importance: Low - Nathan Miller -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Mike Cisar Sent: Tuesday, December 28, 2004 12:49 PM To: freeradius-users@lists.freeradius.org Subject: Exec-Program Another simple one (hopefully)... this server is running on FreeRadius 0.9.0 (new server coming in 3 weeks will have newest version of FreeRadius, for now this version is what I have to work with). To summarize what I am trying to accomplish... - When an accounting start packet is received I need to pass that username and user's IP address to the startscript - When an accounting stop packet is received I need to pass that username and user's IP address to the stopscript With the goal of allowing the IP address (and user) access to certain resources only when they are logged in (so I will have to pass that info to the script eventually... baby steps... get freeradius to call the scripts first, then worry about perfecting them :-) ... for testing purposes, based on some vague examples I found whilst Googling, I have tried the following in the users file (below my outright deny access lines but above everything else of substance in the file). Users are able to log on and off as normal, but the scripts don't seem to trigger (running with -xx I get no errors, nor any reference to either script mentioned). DEFAULT Acct-Status-Type == Start Exec-Program = /usr/local/bin/stopscript DEFAULT Acct-Status-Type == Stop Exec-Program = /usr/local/bin/startscript The scripts are both owner/group to the radius user, have read/execute permissions, and otherwise work when executed manually when su'd to the radius user. Is there something that needs to be configured in radiusd.conf in addition for this to work, perhaps some compile-time option? I get the impression that the above method may have been superceded by doing such things via exec stanzas in radiusd.conf, but I wasn't able to Google up any examples of that particular scenario that were a close enough fit to what I am trying to do. Any examples, pointers to docs, hints or other means to that end, in whatever manner is currently accepted as being preferred are appreciated. Thanks, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program output: freeradius not reading response?
Nate M [EMAIL PROTECTED] wrote: Additionally.. I just compiled 2.4.27 kernel on this machine and the problem stops. 2.6.5, 2.6.8.1 and 2.6.9 all vomit. 2.6 bug perhaps? Looks like it. If the FreeRADIUS code works on other platforms, and other versions of Linux, then I'm inclined to say that the FreeRADIUS code is correct, and 2.6 isn't. As to how to fix it, I'm not sure I can suggest anything other than bugging the Linux people. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program output: freeradius not reading response?
On Tue, Oct 26, 2004 at 02:54:45PM -0700, Nate M wrote:
I've done some troubleshooting of my own, and unsure if this is helpful or
not, but the process appears to be hanging indefinitely until cleaned up
within this section of threads.c (beginning line 1141). The line in
particular it hangs on is the rcode = ... line. I am not enuff of a C
guru to know where to go from here though.
re_wait:
rcode = sem_wait(forkers[found].child_done);
if ((rcode != 0) (errno == EINTR)) {
goto re_wait;
}
}
Your time and help in troubleshooting this has been greatly appreciated!
=)
Additionally.. I just compiled 2.4.27 kernel on this machine and the problem
stops. 2.6.5, 2.6.8.1 and 2.6.9 all vomit. 2.6 bug perhaps?
Hmm. It might be an NPTL issue... Try setting the following environment
variable for FreeRADIUS and see if that fixes it:
LD_ASSUME_KERNEL=2.4.1
(This _should_ make it run with LinuxThreads, rather than NPTL.)
(See http://people.redhat.com/drepper/assumekernel.html for details of
what LD_ASSUME_KERNEL does.)
--
Paul TBBle Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait question and rlm_exec
On Tue, Oct 26, 2004 at 05:17:57PM +0300, Kostas Zorbadelos wrote: On Tue, Oct 26, 2004 at 10:20:48AM -0400, Alan DeKok wrote: Kostas Zorbadelos [EMAIL PROTECTED] wrote: First of all I have a question for Exec-Program-Wait. I need to run an external C program that expects in its environment a proper LD_LIBRARY_PATH to run. I followed the obvious solution of using a wrapper bash shell script, that sets the environment and calls the C program via exec. Can I avoid this? No. I'd suggest adding a patch to rlm_exec, so that it can take a configuration directive for LD_LIBRARY_PATH, and maybe others. The second thing I want to bring up again is the rlm_exec module. Back in September (thread rlm_exec vs Exec-Program-Wait attribute) summarized in http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00161.html, a set of changes to rlm_exec were proposed to also handle the case of having attributes in access-reject. Are these changes going to be accepted finally and if so in which version? Probably, but I haven't had time to look over them yet. If sufficient people use the patch and like it, it can be added. Actually the conversation in that thread ended by mentioning the ideas rlm_exec should follow. I didn't see any patch that implemented them. If there is such a patch please direct me to it and I will test it. My patch was here: http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00132.html and the conversation suggested the following changes: Return RLM_MODULE_OK when result ==0 and RLM_MODULE_FAIL when result RLM_MODULE_NUMCODES Change return 1 in src/main/exec.c line 390 to return 2 so a failed execute returns RLM_MODULE_FAIL rather than RLM_MODULE_REJECT. (As suggested above the patch.) The disadvantage of my patch is that the values returned are actually one higher than the values in the header (eg 1-based instead of 0-based) I did this so that programs returning 0 (The normal case) wouldn't suddenly start failing. And I'm not happy about it, but cannot see a better way. (If only FreeRADIUS defined RLM_MODULE_OK as 0... =^_^=) I'm sorry, but I've not had a chance to either commit it or even give it a thorough testing. It's a simple enough patch that I feel it is already correct, but I'll not commit it myself until someone uses it and gives a report that it works OK. (The use to which I intended to put it myself is now on hold, pending business decisions. And it'll need the new-type SQL group handling support too, and I can't recall if that's gone in yet either. _) -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait question and rlm_exec
Kostas Zorbadelos [EMAIL PROTECTED] wrote: First of all I have a question for Exec-Program-Wait. I need to run an external C program that expects in its environment a proper LD_LIBRARY_PATH to run. I followed the obvious solution of using a wrapper bash shell script, that sets the environment and calls the C program via exec. Can I avoid this? No. I'd suggest adding a patch to rlm_exec, so that it can take a configuration directive for LD_LIBRARY_PATH, and maybe others. The second thing I want to bring up again is the rlm_exec module. Back in September (thread rlm_exec vs Exec-Program-Wait attribute) summarized in http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00161.html, a set of changes to rlm_exec were proposed to also handle the case of having attributes in access-reject. Are these changes going to be accepted finally and if so in which version? Probably, but I haven't had time to look over them yet. If sufficient people use the patch and like it, it can be added. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait question and rlm_exec
On Tue, Oct 26, 2004 at 10:20:48AM -0400, Alan DeKok wrote: Kostas Zorbadelos [EMAIL PROTECTED] wrote: First of all I have a question for Exec-Program-Wait. I need to run an external C program that expects in its environment a proper LD_LIBRARY_PATH to run. I followed the obvious solution of using a wrapper bash shell script, that sets the environment and calls the C program via exec. Can I avoid this? No. I'd suggest adding a patch to rlm_exec, so that it can take a configuration directive for LD_LIBRARY_PATH, and maybe others. The second thing I want to bring up again is the rlm_exec module. Back in September (thread rlm_exec vs Exec-Program-Wait attribute) summarized in http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00161.html, a set of changes to rlm_exec were proposed to also handle the case of having attributes in access-reject. Are these changes going to be accepted finally and if so in which version? Probably, but I haven't had time to look over them yet. If sufficient people use the patch and like it, it can be added. Alan DeKok. Actually the conversation in that thread ended by mentioning the ideas rlm_exec should follow. I didn't see any patch that implemented them. If there is such a patch please direct me to it and I will test it. Kostas -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait question and rlm_exec
Kostas Zorbadelos [EMAIL PROTECTED] wrote: Actually the conversation in that thread ended by mentioning the ideas rlm_exec should follow. I didn't see any patch that implemented them. If there is such a patch please direct me to it and I will test it. Nope, I haven't seen a patch, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program output: freeradius not reading response?
Nate M [EMAIL PROTECTED] wrote: Problem exists, when posting multiple requests to radiusd it occasionally will not receive or somehow omit the exit status of Exec-Program-Wait. I haven't been able to reproduce it here, so I'm not sure how to fix it. The only thing I can think of is that some platforms don't have pthread_sigmask. See src/main/threads.c for how it's used. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Exec-Program output: freeradius not reading response?
Nate M [EMAIL PROTECTED] wrote: Problem exists, when posting multiple requests to radiusd it occasionally will not receive or somehow omit the exit status of Exec-Program-Wait. I haven't been able to reproduce it here, so I'm not sure how to fix it. The only thing I can think of is that some platforms don't have pthread_sigmask. See src/main/threads.c for how it's used. Alan DeKok. Thanks for the reply Alan, I did confirm my test systems have pthread_sigmask: checking for pthread.h... yes checking for pthread_create in -lpthread... yes checking for pthread_sigmask... yes While troubleshooting I also confirmed the same issue with rlm_exec doing a similar task to what I'm accomplishing in exec-program-wait. I've reproduced this on various systems (although, all are newer RH or Fedora installs) and all perform the same. I however was not able to duplicate it on an older Redhat 7.2 machine. Is there additional data I can provide to further diag this issue? I'm not opposed to opening up access to this test box if that would be helpful. - Nate - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program output: freeradius not reading response?
Nate M [EMAIL PROTECTED] wrote: While troubleshooting I also confirmed the same issue with rlm_exec doing a similar task to what I'm accomplishing in exec-program-wait. rlm_exec calls the same functions to do the exec, so it should have all the same features as Exec-Program-Wait. I've reproduced this on various systems (although, all are newer RH or Fedora installs) and all perform the same. I however was not able to duplicate it on an older Redhat 7.2 machine. That sounds to me like it's a problem with newer glibc, or kernel. I don't see the problem on the Solaris or NetBSD machines I have access to. Is there additional data I can provide to further diag this issue? The problem is that the SIGCHLD's are going somewhere, but not where they're supposed to go. So the code in FreeRADIUS doesn't work, because the signals aren't behaving as expected. I'm not opposed to opening up access to this test box if that would be helpful. I don't have time for that, sorry. All I can suggest is a re-examination of the way the server deals with threads SIGCHLD's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Exec-Program output: freeradius not reading response?
Nate M [EMAIL PROTECTED] wrote:
Problem exists, when posting multiple requests to radiusd it
occasionally
will not receive or somehow omit the exit status of Exec-Program-Wait.
I haven't been able to reproduce it here, so I'm not sure how to fix
it.
The only thing I can think of is that some platforms don't have
pthread_sigmask. See src/main/threads.c for how it's used.
Alan DeKok.
Thanks for the reply Alan, I did confirm my test systems have
pthread_sigmask:
checking for pthread.h... yes
checking for pthread_create in -lpthread... yes
checking for pthread_sigmask... yes
While troubleshooting I also confirmed the same issue with rlm_exec doing
a
similar task to what I'm accomplishing in exec-program-wait.
I've reproduced this on various systems (although, all are newer RH or
Fedora installs) and all perform the same. I however was not able to
duplicate it on an older Redhat 7.2 machine.
Is there additional data I can provide to further diag this issue? I'm
not
opposed to opening up access to this test box if that would be helpful.
I've done some troubleshooting of my own, and unsure if this is helpful or
not, but the process appears to be hanging indefinitely until cleaned up
within this section of threads.c (beginning line 1141). The line in
particular it hangs on is the rcode = ... line. I am not enuff of a C
guru to know where to go from here though.
re_wait:
rcode = sem_wait(forkers[found].child_done);
if ((rcode != 0) (errno == EINTR)) {
goto re_wait;
}
}
Your time and help in troubleshooting this has been greatly appreciated! =)
- Nate
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Exec-Program output: freeradius not reading response?
I've done some troubleshooting of my own, and unsure if this is helpful or
not, but the process appears to be hanging indefinitely until cleaned up
within this section of threads.c (beginning line 1141). The line in
particular it hangs on is the rcode = ... line. I am not enuff of a C
guru to know where to go from here though.
re_wait:
rcode = sem_wait(forkers[found].child_done);
if ((rcode != 0) (errno == EINTR)) {
goto re_wait;
}
}
Your time and help in troubleshooting this has been greatly appreciated!
=)
Additionally.. I just compiled 2.4.27 kernel on this machine and the problem
stops. 2.6.5, 2.6.8.1 and 2.6.9 all vomit. 2.6 bug perhaps?
-Nate
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Exec-Program-Wait Unresponsive Child Errors
(Bump) - Nathan Miller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nate M Sent: Tuesday, October 12, 2004 12:34 PM To: [EMAIL PROTECTED] Subject: Exec-Program-Wait Unresponsive Child Errors Good morning. I've got some weirdness with freeradius 1.0.1 (same results in previous versions). Test systems are x86_64 and i386 Fedora Core 2 machines (2.6.8.1). Same tests on older redhat9 machine (2.6.4) do not have the same issue. My users entry looks like: DEFAULT Auth-Type := Accept Exec-Program-Wait = /etc/raddb/scripts/pre_auth.sh, Fall-Through = Yes There are no other authentication mechanisms enabled, all requests go to pre_auth.sh. The script is configured to only exit 0 (although I get identical results when rejecting requests with exit 1) and pass attributes. Same results w/o attributes. This issue only happens when running in standard mode, in debug -x or debug -xx mode. The problem can be duplicated over and over on various platforms. The problem does not happen in -X debug mode. Problem also does not happen in single thread mode. When sending test radius packets it will authenticate the first always, then depending on the frequency of the incoming packets it will hang usually once they are sent at a rate of apx 1+/second. Sending packets continuously at 1 each 2 seconds it will never have any problem. It appears to be in the following entry that it is hanging right before it gets to the Exec-Program: returned: 0 section. Almost as if it's not catching the return value of the external program. Later (10-15 seconds) it drops that client as unresponsive. Attaching 2 -xx debug reports, the first is the request which bombs, the 2nd is a good request. Any help in further debugging or solving this issue is greatly appreciated. ## REQUEST WHICH BOMBS ## Going to the next request Thread 7 waiting to be assigned a request rad_recv: Access-Request packet from host 63.228.227.6:2300, id=67, length=53 Waking up in 2 seconds... Thread 8 got semaphore Thread 8 handling request 6, (1 handled so far) User-Name = [EMAIL PROTECTED] User-Password = x rad_rmspace_pair: User-Name now '[EMAIL PROTECTED]' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module attr_filter returns noop for request 6 rlm_realm: No '#' in User-Name = [EMAIL PROTECTED], looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module prefix returns noop for request 6 rlm_realm: Looking up realm visp.net for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm visp.net modcall[authorize]: module suffix returns noop for request 6 users: Matched DEFAULT at 36 modcall[authorize]: module files returns ok for request 6 modcall: group authorize returns ok for request 6 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user radius_xlat: '/etc/raddb/scripts/pre_auth.sh' Exec-Program: /etc/raddb/scripts/pre_auth.sh Re-wait 2 Exec-Program output: Idle-Timeout = 1140, Session-Timeout = 28800, Service-Type = Framed-User, Framed-IP-Address = 255.255.255.254, Framed-Protocol = PPP, Simultaneous-Use = 1, Exec-Program-Wait: value-pairs: Idle-Timeout = 1140, Session-Timeout = 28800, Service-Type = Framed-User, Framed-IP-Address = 255.255.255.254, Framed-Protocol = PPP, Simultaneous-Use = 1, --- Walking the entire request list --- Cleaning up request 0 ID 61 with timestamp 416c1c9c Cleaning up request 1 ID 62 with timestamp 416c1c9c Cleaning up request 2 ID 63 with timestamp 416c1c9c Waking up in 1 seconds... Threads: total/active/spare threads = 15/1/14 --- Walking the entire request list --- Cleaning up request 3 ID 64 with timestamp 416c1c9d Cleaning up request 4 ID 65 with timestamp 416c1c9d Cleaning up request 5 ID 66 with timestamp 416c1c9d Waking up in 5 seconds... --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- WARNING: Unresponsive child (id 1145158576) for request 6 Server rejecting request 6. Sending Access-Reject of id 67 to 63.228.227.6:2300 Waking up in 5 seconds... --- Walking the entire request list --- STRACE OUTPUT at time of error radius_xlat: '/etc/raddb/scripts/pre_auth.sh' Exec-Program: /etc/raddb/scripts/pre_auth.sh Exec-Program output: Idle-Timeout = 1140, Session-Timeout = 28800, Service-Type = Framed-User, Framed-IP-Address = 255.255.255.254, Framed-Protocol = PPP, Simultaneous-Use = 1, Exec-Program-Wait: value-pairs: Idle-Timeout = 1140, Session-Timeout = 28800, Service-Type = Framed-User, Framed-IP-Address = 255.255.255.254, Framed-Protocol = PPP, Simultaneous-Use = 1, ) = 0 (Timeout) time(NULL) = 1097605809 time(NULL)
Re: exec-program exec-program-wait
Exec-Program-Wait : wait to finish authorization and then executed Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: Edgars [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 07, 2004 12:55 PM Subject: exec-program exec-program-wait Hello, can someone tell me what is the difference between these attributes? Does the first one call for a script before authentication, the second one after? Thanks! Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program exec-program-wait
Edgars wrote: can someone tell me what is the difference between these attributes? Exec-Program executes a program without waiting for any output from the program. Exec-Program executes a program and waits for any output from the program. You need this if you want the program to set attributes for example. Does the first one call for a script before authentication, the second one after? No. Both are triggered after authentication has succeeded. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and iproute2
On Tue, Oct 05, 2004 at 04:59:13PM -0700, Ivo Petrov wrote: Thanks for advice but in radiusd.conf I wrote: user root group root and radiusd runs as root or that is not enough. I tried running simple script and it works, but when I change the script with the one that makes shaping then nothing hapens. Forgive me but I didn't understand how to use wraper. Can you tell me how to do it. If you're using a script to run the shaping code, just make it output it's variables and things into a temporary file, so that when it runs you can check that it's not doing anything wrong or surprising. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program help
On Tue, Oct 05, 2004 at 05:02:55PM -0700, Ivo Petrov wrote: Thanks much but I need the script executed after successful authentication not before that. Any way thanks my simple script was executed correctly. You might want to look at rlm_exec, which gives better control on when the script is executed. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and iproute2
Thanks for advice but in radiusd.conf I wrote: user root group root and radiusd runs as root or that is not enough. I tried running simple script and it works, but when I change the script with the one that makes shaping then nothing hapens. Forgive me but I didn't understand how to use wraper. Can you tell me how to do it. Thanks in advance. Ivo Petrov --- Paul Hampson [EMAIL PROTECTED] wrote: On Sun, Oct 03, 2004 at 02:22:17AM -0700, Ivo Petrov wrote: Hi all, I'm trying to shape ppp+ interfaces after successful authentication using Exec-Program. radiusd runs as root, in mysql radreply table the last row for the user contains: Exec-Program = '/etc/ppp/shd %f'. Freeradius version is 1.0.1,MySQL 4.0.21, Slackware 10, pptpd 1.2.1, iproute2(ip, tc). When user connects to the pptpd everythink is OK, link goes up, but the ppp interface is not shaped. If I run shaping script outside the radius it works. In radius.log the stage of executing the script is noted with correctly transfered value of attribute %f, script is owned by root(same as radiusd), there isnn't an error of any kind, but this automation doesn't work. radiusd may be owned by root, but FreeRADIUS may be set to drop permissions. I'd suggest a wrapper script that logs calls so you can see what's happening or not happening. Can anyone tell me where could the mistake or my misunderstanding in implementing Exec-Program attribute. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program help
Thanks much but I need the script executed after successful authentication not before that. Any way thanks my simple script was executed correctly. Regards Ivo Petrov --- Edgars [EMAIL PROTECTED] wrote: Hello, see what's written in logs. Try Exec-Program-Wait instead. Edgars Ivo Petrov wrote: Hi all, I have a problem using Exec-Program. I've put the line in radreply table (4,'test1','Exec-Program',':=','/path/script') but the script was not executed. Can anybody tell me why? script : #!/bin/bash ps aux | grep radiusd result When I executed the script from the shell(Linux) it works but nothing hapens when it is called from radiusd. And the radiusd tells the following when run in debug mode: radius_xlat: '/path/script' Exec-Program: /path/script Thank in advance. Ivo Petrov ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and iproute2
On Sun, Oct 03, 2004 at 02:22:17AM -0700, Ivo Petrov wrote: Hi all, I'm trying to shape ppp+ interfaces after successful authentication using Exec-Program. radiusd runs as root, in mysql radreply table the last row for the user contains: Exec-Program = '/etc/ppp/shd %f'. Freeradius version is 1.0.1,MySQL 4.0.21, Slackware 10, pptpd 1.2.1, iproute2(ip, tc). When user connects to the pptpd everythink is OK, link goes up, but the ppp interface is not shaped. If I run shaping script outside the radius it works. In radius.log the stage of executing the script is noted with correctly transfered value of attribute %f, script is owned by root(same as radiusd), there isnn't an error of any kind, but this automation doesn't work. radiusd may be owned by root, but FreeRADIUS may be set to drop permissions. I'd suggest a wrapper script that logs calls so you can see what's happening or not happening. Can anyone tell me where could the mistake or my misunderstanding in implementing Exec-Program attribute. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program help
Hello, see what's written in logs. Try Exec-Program-Wait instead. Edgars Ivo Petrov wrote: Hi all, I have a problem using Exec-Program. I've put the line in radreply table (4,'test1','Exec-Program',':=','/path/script') but the script was not executed. Can anybody tell me why? script : #!/bin/bash ps aux | grep radiusd result When I executed the script from the shell(Linux) it works but nothing hapens when it is called from radiusd. And the radiusd tells the following when run in debug mode: radius_xlat: '/path/script' Exec-Program: /path/script Thank in advance. Ivo Petrov ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program help
On Mon, Oct 04, 2004 at 02:20:49AM -0700, Ivo Petrov wrote: I have a problem using Exec-Program. I've put the line in radreply table (4,'test1','Exec-Program',':=','/path/script') but the script was not executed. Can anybody tell me why? script : #!/bin/bash ps aux | grep radiusd result When I executed the script from the shell(Linux) it works but nothing hapens when it is called from radiusd. Are you sure it didn't run... Try redirecting to an absolute path rather than relative... Somewhere the user FreeRADIUS is running as has permission to use. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait attribute to script
Cheers Jerlique! it works now:)
Edgars
Jerlique Ban wrote:
Hi,
can't figure out how the attributes are sent to my PHP
script,how do hey look in this file. Can someone help on this issue?
I'm sending 2 attributes Exec-Program-Wait='/usr/local/sbin
%C{User-Name} %C{Nas-IP-Address}'
So how they are called now under my PHP file?
You will want to look at $_SERVER[argv] array or another way is to look at
the getenv(USER_NAME) function call.
JB
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program as unknown attribute
Edgars [EMAIL PROTECTED] wrote: rlm_sql: unknown attribute Exec-Program-Wait rlm_sql (sql): Error getting data from database Odds are your SQL server is returning the attribute names with embedded spaces. Delete them, and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program as unknown attribute
thnks Alan! i've already found that i had a space after the attribute which has been written in the DB. Edgars Alan DeKok wrote: Edgars [EMAIL PROTECTED] wrote: rlm_sql: unknown attribute Exec-Program-Wait rlm_sql (sql): Error getting data from database Odds are your SQL server is returning the attribute names with embedded spaces. Delete them, and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program doesn't execute the program
On Mon, Sep 06, 2004 at 02:27:29PM +0300, Edgars wrote: Hello, in some way this attribute does not execute my PHP program. I have data base insert query in this file to test all this. If i execute the *.php program from command line, everything is OK - a new field is added in the DB. I've put this attribute with path in the radcheck table. Where could be the problem? Can't tell anything from the debugging mode.. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Is your script executable from the user who owns radiusd? A chmod 755 would be appropriate then. -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program doesn't execute the program
with permissions there are no problems, i tried also your chmod options. The same:/ Maybe something else? Edgars Kostas Zorbadelos wrote: On Mon, Sep 06, 2004 at 02:27:29PM +0300, Edgars wrote: Hello, in some way this attribute does not execute my PHP program. I have data base insert query in this file to test all this. If i execute the *.php program from command line, everything is OK - a new field is added in the DB. I've put this attribute with path in the radcheck table. Where could be the problem? Can't tell anything from the debugging mode.. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Is your script executable from the user who owns radiusd? A chmod 755 would be appropriate then. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program doesn't execute the program
On Mon, Sep 06, 2004 at 03:12:47PM +0300, Edgars wrote: with permissions there are no problems, i tried also your chmod options. The same:/ Maybe something else? Edgars Perhaps you should create an executable wrapper shell script containing the call to your php script like StartPhp.sh #!/bin/sh php -f the/path/to/php/script Kostas Zorbadelos wrote: On Mon, Sep 06, 2004 at 02:27:29PM +0300, Edgars wrote: Hello, in some way this attribute does not execute my PHP program. I have data base insert query in this file to test all this. If i execute the *.php program from command line, everything is OK - a new field is added in the DB. I've put this attribute with path in the radcheck table. Where could be the problem? Can't tell anything from the debugging mode.. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Is your script executable from the user who owns radiusd? A chmod 755 would be appropriate then. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program doesn't execute the program
On Mon, Sep 06, 2004 at 04:00:43PM +0300, Edgars wrote: What is the debugging output of radiusd -X? nope, the same. Edgars Kostas Zorbadelos wrote: On Mon, Sep 06, 2004 at 03:12:47PM +0300, Edgars wrote: with permissions there are no problems, i tried also your chmod options. The same:/ Maybe something else? Edgars Perhaps you should create an executable wrapper shell script containing the call to your php script like StartPhp.sh #!/bin/sh php -f the/path/to/php/script Kostas Zorbadelos wrote: On Mon, Sep 06, 2004 at 02:27:29PM +0300, Edgars wrote: Hello, in some way this attribute does not execute my PHP program. I have data base insert query in this file to test all this. If i execute the *.php program from command line, everything is OK - a new field is added in the DB. I've put this attribute with path in the radcheck table. Where could be the problem? Can't tell anything from the debugging mode.. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Is your script executable from the user who owns radiusd? A chmod 755 would be appropriate then. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program doesn't execute the program
got it to work:)i was putting this attribute in the radcheck table not radreply. But now another problem is rising up - the only reason why i want to use this attribute is that i wanted to add a Session-Timeout attribute to radreply table and that this timeout should be given to the user in the current authentication try. But the php script is only adding the timeout but it will be given to user only at the next login. How to workaround this? Should i use rlm_sql instead of exec-program attribute? Edgars Edgars wrote: nope, the same. Edgars Kostas Zorbadelos wrote: On Mon, Sep 06, 2004 at 03:12:47PM +0300, Edgars wrote: with permissions there are no problems, i tried also your chmod options. The same:/ Maybe something else? Edgars Perhaps you should create an executable wrapper shell script containing the call to your php script like StartPhp.sh #!/bin/sh php -f the/path/to/php/script Kostas Zorbadelos wrote: On Mon, Sep 06, 2004 at 02:27:29PM +0300, Edgars wrote: Hello, in some way this attribute does not execute my PHP program. I have data base insert query in this file to test all this. If i execute the *.php program from command line, everything is OK - a new field is added in the DB. I've put this attribute with path in the radcheck table. Where could be the problem? Can't tell anything from the debugging mode.. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Is your script executable from the user who owns radiusd? A chmod 755 would be appropriate then. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program doesn't execute the program
On Mon, Sep 06, 2004 at 04:25:48PM +0300, Edgars wrote: got it to work:)i was putting this attribute in the radcheck table not radreply. Ok, so you were using an sql db backend... But now another problem is rising up - the only reason why i want to use this attribute is that i wanted to add a Session-Timeout attribute to radreply table and that this timeout should be given to the user in the current authentication try. But the php script is only adding the timeout but it will be given to user only at the next login. How to workaround this? Should i use rlm_sql instead of exec-program attribute? Edgars So you don't need to store it in radreply table. Your external script will enrich the attributes returned to the client by adding the Session-Timeout. -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait
Amedzekor Kafui [EMAIL PROTECTED] wrote: If the exec-program-wait is written in C/C++ do I necessarily need to system (echo Framed-IP-Address = 255.255.255.255) to get the replies back to the NAS. Can I use printf to achieve the same effect? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait
Hello, Thanks for your response. What about if i don't want the reply attributes to echoed to the screen but i want them sent to the NAS, can I just put for example Framed-IP-Address = 255.255.255.255 at the end of the code. Thanks again. Kafui Amedzekor. --- Alan DeKok [EMAIL PROTECTED] wrote: Amedzekor Kafui [EMAIL PROTECTED] wrote: If the exec-program-wait is written in C/C++ do I necessarily need to system (echo Framed-IP-Address = 255.255.255.255) to get the replies back to the NAS. Can I use printf to achieve the same effect? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait
Amedzekor Kafui wrote: What about if i don't want the reply attributes to echoed to the screen but i want them sent to the NAS, can I just put for example Your script just has to output attributes to STDOUT, so that FreeRadius can read them in and then send them to the NAS. If you want to allow the user, then your program should exit with code 0. To reject the user, your program should exit with code 0 and 0 in case of an error. Example 1: reject the user with Reply-Message Your account has expired: Script should output Reply-Message := \Your account has expired\,\n and exit with code 0 Example 2: to accept the user with Session-Timeout set to 600 and Idle-Timeout set to 60: Script should output Session-Timeout := 600,\nIdle-Timeout := 60,\n and exit with code 0 -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait attributes not included in Access-Accept
On Mon, Jul 26, 2004 at 03:58:37PM +0200, Thor Spruyt wrote: I have freeradius 0.9.3 running with Postgresql database backend. The only thing the radius checks is the password and then executes an external script if authentication is ok. The section in the users file is: DEFAULT Auth-Type = Local Exec-Program-Wait = /opt/radius1/bin/auth.pl Everything runs fine, except the attributes output by the script (attr = value seperated by newlines) are not added to the reply as you can see in this debugging output: auth: type Local auth: user supplied User-Password matches local User-Password radius_xlat: '/opt/radius1/bin/auth.pl' Exec-Program: /opt/radius1/bin/auth.pl Exec-Program output: Acct-Interim-Interval = 600 Idle-Timeout = 3600 Session-Timeout = 171454526 Exec-Program-Wait: plaintext: Acct-Interim-Interval = 600 Idle-Timeout = 3600 Session-Timeout = 171454526 Exec-Program: returned: 0 Login OK: [thor] (from client x port 0 cli 00:30:00:04:A5:22) Sending Access-Accept of id 112 to 192.168.250.105:32780 Finished request 0 Going to the next request Any idea what might be wrong? Hmm. I'd suggest outputting the attributes on seperate lines... I'd also suggest moving to rlm_exec, which is less bug-prone as far as we know. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait attributes not included in Access-Accept
Got it... The script has to output ,\n after each pair like so: Acct-Interim-Interval = 600, Idle-Timeout = 3600, Session-Timeout = 171454526 Regards, Thor. - Original Message - From: Paul Hampson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 26, 2004 4:16 PM Subject: Re: Exec-Program-Wait attributes not included in Access-Accept On Mon, Jul 26, 2004 at 03:58:37PM +0200, Thor Spruyt wrote: I have freeradius 0.9.3 running with Postgresql database backend. The only thing the radius checks is the password and then executes an external script if authentication is ok. The section in the users file is: DEFAULT Auth-Type = Local Exec-Program-Wait = /opt/radius1/bin/auth.pl Everything runs fine, except the attributes output by the script (attr = value seperated by newlines) are not added to the reply as you can see in this debugging output: auth: type Local auth: user supplied User-Password matches local User-Password radius_xlat: '/opt/radius1/bin/auth.pl' Exec-Program: /opt/radius1/bin/auth.pl Exec-Program output: Acct-Interim-Interval = 600 Idle-Timeout = 3600 Session-Timeout = 171454526 Exec-Program-Wait: plaintext: Acct-Interim-Interval = 600 Idle-Timeout = 3600 Session-Timeout = 171454526 Exec-Program: returned: 0 Login OK: [thor] (from client x port 0 cli 00:30:00:04:A5:22) Sending Access-Accept of id 112 to 192.168.250.105:32780 Finished request 0 Going to the next request Any idea what might be wrong? Hmm. I'd suggest outputting the attributes on seperate lines... I'd also suggest moving to rlm_exec, which is less bug-prone as far as we know. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait attributes not included in Access-Accept
On Jul 26, 2004, at 06:58, Thor Spruyt wrote: Hi, I have freeradius 0.9.3 running with Postgresql database backend. The only thing the radius checks is the password and then executes an external script if authentication is ok. The section in the users file is: DEFAULT Auth-Type = Local Exec-Program-Wait = /opt/radius1/bin/auth.pl Everything runs fine, except the attributes output by the script (attr = value seperated by newlines) are not added to the reply as you can see in this debugging output: auth: type Local auth: user supplied User-Password matches local User-Password radius_xlat: '/opt/radius1/bin/auth.pl' Exec-Program: /opt/radius1/bin/auth.pl Exec-Program output: Acct-Interim-Interval = 600 Idle-Timeout = 3600 Session-Timeout = 171454526 Exec-Program-Wait: plaintext: Acct-Interim-Interval = 600 Idle-Timeout = 3600 Session-Timeout = 171454526 Exec-Program: returned: 0 Login OK: [thor] (from client x port 0 cli 00:30:00:04:A5:22) Sending Access-Accept of id 112 to 192.168.250.105:32780 Finished request 0 Going to the next request Any idea what might be wrong? I have an Exec-Program-Wait and I don't use returns. Here is an example of the script output that works: Session-Timeout = 3600, Framed-IP-Address = 66.81.99.99 There are no returns anywhere in the string. I tried various combinations of things using debug mode to find one that works. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program environment
Andrea Gabellini [EMAIL PROTECTED] wrote: I need to use Exec-Program, but I need also the Sql-Group variable. Actually It's not passed to the environment. The request items are added to the environment in Exec-Program-Wait. That can't be changed. if SQL-Group isn't in the request items, it won't be added to the environment. I suggest using rlm_exec, where you can control exactly which list of attributes are passed to the program. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait - scripts are not executing
Are you sure you are looking in the right directory? Since you didn't specify the full path, it uses whatever it has as a working path at that point. It may not be one that is obvious. Try specifying the complete path. Also run it by hand to be sure the permissions are correct. On Apr 13, 2004, at 20:53, mel wrote: A simple test script: echo hello rad.txt acct_users: testuser Password == test123 Exec-Program = sh /home/radius/test.sh It does not produce the rad.txt. tesh.sh has the correct permission and it is executable. Leaving out the sh to just /home/radius/test.sh also gives no result. radiusd in debug mode: Wed Apr 14 11:42:47 2004 : Debug: radius_xlat: 'sh /home/radius/test.sh' Wed Apr 14 11:42:47 2004 : Debug: Exec-Program: sh /home/radius/test.sh Any ideas as to why the script does not produce the output (i.e the file rad.txt)? Regards, --mel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Doug - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait - scripts are not executing
Doug Hardie wrote: Are you sure you are looking in the right directory? Since you didn't specify the full path, it uses whatever it has as a working path at that point. It may not be one that is obvious. Try specifying the complete path. Also run it by hand to be sure the permissions are correct. Exec-Program = /bin/sh /home/radius/test.sh fixes the problem. --mel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
