perl module variable scope question

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

perl module variable scope question

P. R.M.
I'm using the perl module to handle the backend logic between freeradius & a mysql database.

  *   The first step in the authentication/authorization process is to have perl query the database for a given username.
  *   Perl then queries the DB and returns the cleartext password if the username is found & is valid.
  *   next, the cleartext password is handed off to the CHAP module for verification
  *   afterwards, control goes back to the perl module (in post-auth section), when it runs another query in order to pull the reply attributes for the given user

I'd like to avoid running the 2nd query in post-auth, and simply run a single query that returns all of the reply attributes if the username is valid. The problem is that the perl module has to exit its context & return control back to the CHAP module in order to verify the password.

I don't want to prematurely set the reply attributes in the 'authorize' section if the user will subsequently be rejected due to a bad password. So, I need a way to save&pass the results of the initial query (w/ the attributes data) from the 'authorize' function to the 'post_auth' function. Global variables don't seem like they would be a good idea (not sure how this would work in terms of concurrency/thread safety).  Any ideas on how to persist data from one perl module function call to the next?

The only other option I considered was having the perl module do the CHAP/PAP authentication, but I would much rather leave this task to freeradius.

Please help, thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: perl module variable scope question

Alan DeKok-2


> On Feb 4, 2020, at 8:44 PM, P. R.M. <[hidden email]> wrote:
>
> I'm using the perl module to handle the backend logic between freeradius & a mysql database.
>
>  *   The first step in the authentication/authorization process is to have perl query the database for a given username.
>  *   Perl then queries the DB and returns the cleartext password if the username is found & is valid.
>  *   next, the cleartext password is handed off to the CHAP module for verification
>  *   afterwards, control goes back to the perl module (in post-auth section), when it runs another query in order to pull the reply attributes for the given user
>
> I'd like to avoid running the 2nd query in post-auth, and simply run a single query that returns all of the reply attributes if the username is valid. The problem is that the perl module has to exit its context & return control back to the CHAP module in order to verify the password.
>
> I don't want to prematurely set the reply attributes in the 'authorize' section if the user will subsequently be rejected due to a bad password. So, I need a way to save&pass the results of the initial query (w/ the attributes data) from the 'authorize' function to the 'post_auth' function. Global variables don't seem like they would be a good idea (not sure how this would work in terms of concurrency/thread safety).  Any ideas on how to persist data from one perl module function call to the next?

  Just do everything in one call to Perl.

  When the server sends an Access-Reject, it strips all of the reply attributes except for Reply-Message.  See the debug output for details.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html