[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-devel
Subject:    Re: Proxy question
From:       aland () striker ! ottawa ! on ! ca
Date:       2001-05-18 15:13:59
[Download RAW message or body]

Bjorn Aberg <bjorn.aberg@axis.com> wrote:
> I have a problem though when doing proxy to another server (freeradius
> using the same module for auth & acct
> on another machine). 
> The problem is that after the decision to proxy the request the local
> authenticate (in rlm_mymod) function is called and when receiving the
> access accept from the remote server,

  Hmm... the authenticate function *shouldn't* be called twice.  It
should only be called once.  And if the request is proxied, then the
code should NOT do local authentication.

  See src/main/auth.c, function rad_check_password().  If there's a
'request->proxy' entry, then the authentication has been done by the
proxy.  The function returns, and the later call to
module_authenticate() isn't even done.

> ***************************************
> >>> mymod authenticate GETS CALLED >>>
> ***************************************
> 
> modcall[autz]: Module at line 552 returns reject
> modcall[autz]: action for reject is return
> modcall[autz]: Group at line 548 returns reject

  That is the *authorization* function of your module being called.
It is NOT the authentication function.

  Maybe you have them confused.

  And the proxy reply:

> ***************************************
> >>> mymod authenticate GETS CALLED >>>
> ***************************************
> 
> modcall[autz]: Module at line 552 returns reject

  Again, this is your modules authorization being called.  It has
nothing to do with authentication.


  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html

[prev in list] [next in list] [prev in thread] [next in thread]