*
*/
+#ifndef RADIUS_MODULES_H
+#define RADIUS_MODULES_H
#include "conffile.h"
/*
typedef int (*RLM_PRE_ACCOUNTING_FUNCP)(REQUEST *request);
typedef int (*RLM_ACCOUNTING_FUNCP)(REQUEST *request);
-/* Shouldn't need these anymore */
#define RLM_COMPONENT_AUTH 0
#define RLM_COMPONENT_AUTZ 1
#define RLM_COMPONENT_PREACCT 2
} module_t;
enum {
- RLM_MODULE_REJECT = -2, /* reject the request */
- RLM_MODULE_FAIL = -1, /* module failed, don't reply */
- RLM_MODULE_OK = 0, /* the module is OK, continue */
- RLM_MODULE_HANDLED = 1 /* the module handled the request, so stop. */
+ RLM_MODULE_REJECT, /* reject the request */
+ RLM_MODULE_FAIL, /* module failed, don't reply */
+ RLM_MODULE_OK, /* the module is OK, continue */
+ RLM_MODULE_HANDLED, /* the module handled the request, so stop. */
+ RLM_MODULE_INVALID, /* the module considers the request invalid. */
+ RLM_MODULE_USERLOCK, /* reject the request (user is locked out) */
+ RLM_MODULE_NOTFOUND, /* user not found */
+ RLM_MODULE_NOOP, /* module succeeded without doing anything */
+ RLM_MODULE_UPDATED, /* OK (pairs modified) */
+ RLM_MODULE_NUMCODES /* How many return codes there are */
};
int setup_modules(void);
int module_preacct(REQUEST *request);
int module_accounting(REQUEST *request);
+#endif /* RADIUS_MODULES_H */
*
*/
+#ifndef RADIUSD_H
+#define RADIUSD_H
#include "libradius.h"
#include "radpaths.h"
#include "conf.h"
extern int thread_pool_init(void);
extern int thread_pool_clean(void);
#endif
+#endif /*RADIUSD_H*/
/*
* rad_accounting: call modules.
+ *
+ * The return value of this function isn't actually used right now, so
+ * it's not entirely clear if it is returning the right things. --Pac.
*/
int rad_accounting(REQUEST *request)
{
if(!request->proxy) { /* Only need to do this once, before proxying */
reply = module_preacct(request);
- if (reply != RLM_MODULE_OK)
- return RLM_MODULE_FAIL;
+ if (reply != RLM_MODULE_NOOP &&
+ reply != RLM_MODULE_OK &&
+ reply != RLM_MODULE_UPDATED)
+ return reply;
/* Maybe one of the preacct modules has decided that a proxy should
* be used. If so, get out of here and send the packet. */
if(pairfind(request->config_items, PW_PROXY_TO_REALM))
- return 0;
+ return reply;
}
reply = RLM_MODULE_OK;
*/
reply = module_accounting(request);
}
- if (reply == RLM_MODULE_OK) {
+ if (reply == RLM_MODULE_NOOP ||
+ reply == RLM_MODULE_OK ||
+ reply == RLM_MODULE_UPDATED) {
/*
* Now send back an ACK to the NAS.
*/
request->reply->code = PW_ACCOUNTING_RESPONSE;
- reply = RLM_MODULE_OK;
}
return reply;
switch (result) {
/*
* An authentication module FAIL
- * return code is the same as
- * an explicit REJECT!
+ * return code, or any return code that
+ * is not expected from authentication,
+ * is the same as an explicit REJECT!
*/
case RLM_MODULE_FAIL:
case RLM_MODULE_REJECT:
+ case RLM_MODULE_USERLOCK:
+ case RLM_MODULE_INVALID:
+ case RLM_MODULE_NOTFOUND:
+ case RLM_MODULE_NOOP:
+ case RLM_MODULE_UPDATED:
result = -1;
break;
case RLM_MODULE_OK:
/*
* Process and reply to an authentication request
+ *
+ * The return value of this function isn't actually used right now, so
+ * it's not entirely clear if it is returning the right things. --Pac.
*/
int rad_authenticate(REQUEST *request)
{
* Get the user's authorization information from the database
*/
r = module_authorize(request);
- if (r != RLM_MODULE_OK) {
+ if (r != RLM_MODULE_NOTFOUND &&
+ r != RLM_MODULE_NOOP &&
+ r != RLM_MODULE_OK &&
+ r != RLM_MODULE_UPDATED) {
if (r != RLM_MODULE_FAIL && r != RLM_MODULE_HANDLED) {
radlog(L_AUTH, "Invalid user: [%s%s%s] (%s)",
auth_username(namepair),
*/
if ((request->proxy == NULL) &&
(pairfind(request->config_items, PW_PROXY_TO_REALM) != NULL)) {
- return 0;
+ return RLM_MODULE_OK;
}
/*
result = rad_check_password(request);
if (result > 0) {
/* don't reply! */
- return -1;
+ return RLM_MODULE_HANDLED;
}
} while(0);
* Result should be >= 0 here - if not, we return.
*/
if (result < 0) {
- return 0;
+ return RLM_MODULE_OK;
}
/*
auth_username(namepair),
auth_name(buf, sizeof(buf), request, 1));
}
- return 0;
+ return RLM_MODULE_OK;
}
}
}
if (exec_program) free(exec_program);
- return 0;
+ return RLM_MODULE_OK;
}
/* add the (hopefully) unique session ID to the packet */
pairadd(&request->packet->vps, vp);
- return RLM_MODULE_OK;
+ return RLM_MODULE_UPDATED;
}
/* FIXME: unique_accounting should probably be called from preacct */
instance = instance;
request = request;
- return RLM_MODULE_OK;
+ return RLM_MODULE_HANDLED;
}
/*
* then exit from the module.
*/
if (!found)
- return RLM_MODULE_OK;
+ return RLM_MODULE_NOTFOUND;
/*
* Add the port number to the Framed-IP-Address if
* See if we succeeded.
*/
if (!found)
- return RLM_MODULE_OK; /* on to the next module */
+ return RLM_MODULE_NOOP; /* on to the next module */
/*
* FIXME: log a warning if there are any reply items other than
*/
if (stat(radacct_dir, &st) < 0) {
DEBUG("No accounting directory %s", radacct_dir);
- return RLM_MODULE_OK;
+ return RLM_MODULE_NOOP;
}
curtime = time(0);
if ((ldap_count_entries(ld, *result)) != 1) {
DEBUG("rlm_ldap: thread #%p user object not found or got ambiguous search result", pthread_self());
ldap_msgfree(*result);
- res = RLM_MODULE_REJECT;
+ res = RLM_MODULE_NOTFOUND;
}
DEBUG2("rlm_ldap: thread #%p locking connection flag ...", pthread_self());
*/
if (name[0] == 0) {
radlog(L_ERR, "rlm_ldap: zero length username not permitted\n");
- return RLM_MODULE_FAIL;
+ return RLM_MODULE_INVALID;
}
/* Unfortunately LDAP queries are case insensitive, so in order to provide
*/
if(request->password->attribute != PW_PASSWORD) {
radlog(L_AUTH, "rlm_ldap: Attribute \"Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
- return RLM_MODULE_REJECT;
+ return RLM_MODULE_INVALID;
}
name = request->username->strvalue;
if(strlen(passwd) == 0) {
radlog(L_ERR, "rlm_ldap: empty password supplied");
- return RLM_MODULE_REJECT;
+ return RLM_MODULE_INVALID;
}
DEBUG("rlm_ldap: thread #%p login attempt by \"%s\" with password \"%s\"", pthread_self(), name, passwd);
*/
if (!request->username) {
radlog(L_AUTH, "rlm_pam: Attribute \"User-Name\" is required for authentication.");
- return RLM_MODULE_REJECT;
+ return RLM_MODULE_INVALID;
}
/*
*/
if (!request->password) {
radlog(L_AUTH, "rlm_pam: Attribute \"Password\" is required for authentication.");
- return RLM_MODULE_REJECT;
+ return RLM_MODULE_INVALID;
}
/*
*/
if (request->password->attribute != PW_PASSWORD) {
radlog(L_AUTH, "rlm_pam: Attribute \"Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
- return RLM_MODULE_REJECT;
+ return RLM_MODULE_INVALID;
}
pair = pairfind(request->config_items, PAM_AUTH_ATTR);
request_pairs = request->packet->vps;
if (hints == NULL || request_pairs == NULL)
- return RLM_MODULE_OK;
+ return RLM_MODULE_NOOP;
/*
* Check for valid input, zero length names not permitted
/*
* No name, nothing to do.
*/
- return RLM_MODULE_OK;
+ return RLM_MODULE_NOOP;
for (i = hints; i; i = i->next) {
if (matches(name, i, newname)) {
}
}
- if (i == NULL) return RLM_MODULE_OK;
+ if (i == NULL) return RLM_MODULE_NOOP;
add = paircopy(i->reply);
;
if (last) last->next = add;
- return RLM_MODULE_OK;
+ return RLM_MODULE_UPDATED;
}
/*
*/
static int preprocess_preaccounting(void *instance, REQUEST *request)
{
+ int r;
+
instance = instance;
/*
* Ensure that we have the SAME user name for both
* authentication && accounting.
*/
rad_mangle(request);
- hints_setup(request);
+ r = hints_setup(request);
/*
* Ensure that we log the NAS IP Address in the packet.
*/
add_nas_attr(request);
- return RLM_MODULE_OK;
+ return r;
}
/*
if (!found) {
DEBUG2("User %s not found and DEFAULT not found", name);
- return RLM_MODULE_OK;
+ return RLM_MODULE_NOTFOUND;
}
if (paircmp(request->packet->vps, check_tmp, &reply_tmp) != 0) {
(request->password->length == 0) ||
(request->password->attribute != PW_PASSWORD)) {
radlog(L_AUTH, "rlm_sql: Attribute \"Password\" is required for authentication.");
- return RLM_MODULE_REJECT;
+ return RLM_MODULE_INVALID;
}
sql_escape_string(escaped_user, user, strlen(user));
*/
if (!request->username) {
radlog(L_AUTH, "rlm_unix: Attribute \"User-Name\" is required for authentication.");
- return RLM_MODULE_REJECT;
+ return RLM_MODULE_INVALID;
}
/*
*/
if (!request->password) {
radlog(L_AUTH, "rlm_unix: Attribute \"Password\" is required for authentication.");
- return RLM_MODULE_REJECT;
+ return RLM_MODULE_INVALID;
}
/*
*/
if (request->password->attribute != PW_PASSWORD) {
radlog(L_AUTH, "rlm_unix: Attribute \"Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
- return RLM_MODULE_REJECT;
+ return RLM_MODULE_INVALID;
}
name = (char *)request->username->strvalue;
#ifdef OSFC2
if ((pr_pw = getprpwnam(name)) == NULL)
- return RLM_MODULE_REJECT;
+ return RLM_MODULE_NOTFOUND;
encrypted_pass = pr_pw->ufld.fd_encrypt;
#else /* OSFC2 */
/*
* Get encrypted password from password file
*/
if ((pwd = getpwnam(name)) == NULL) {
- return RLM_MODULE_REJECT;
+ return RLM_MODULE_NOTFOUND;
}
encrypted_pass = pwd->pw_passwd;
#endif /* OSFC2 */
*/
if (pr_pw->uflg.fg_lock!=1) {
radlog(L_AUTH, "rlm_unix: [%s]: account locked", name);
- return RLM_MODULE_REJECT;
+ return RLM_MODULE_USERLOCK;
}
#endif /* OSFC2 */
*/
if ((vp = pairfind(request->packet->vps, PW_ACCT_STATUS_TYPE))==NULL) {
radlog(L_ERR, "Accounting: no Accounting-Status-Type record.");
- return RLM_MODULE_OK;
+ return RLM_MODULE_NOOP;
}
status = vp->lvalue;
*/
if (status != PW_STATUS_START &&
status != PW_STATUS_STOP)
- return RLM_MODULE_OK;
+ return RLM_MODULE_NOOP;
/*
* We're only interested in accounting messages
* with a username in it.
*/
if ((vp = pairfind(request->packet->vps, PW_USER_NAME)) == NULL)
- return RLM_MODULE_OK;
+ return RLM_MODULE_NOOP;
time(&t);
memset(&ut, 0, sizeof(ut));
* where we didn't see a PW_NAS_PORT_ID.
*/
if (strncmp(ut.ut_name, "!root", sizeof(ut.ut_name)) == 0 || !port_seen)
- return RLM_MODULE_OK;
+ return RLM_MODULE_NOOP;
/*
* If we didn't find out the NAS address, use the