[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Radiusplugin-users] (no subject)
From: |
ValdikSS |
Subject: |
Re: [Radiusplugin-users] (no subject) |
Date: |
Tue, 29 Nov 2011 20:00:11 +0400 |
That's a bug in openvpn. I've done a patch, but can't post a bug on
openvpn bugtracker, the page just doesn't load.
"I have radiusplugin and client-connect script. Radiusplugin is used
only for accounting and some kind of authorization is managed by
client-connect script. If you disable radiusplugin and client-connect
script will exit with error code 1, client would be disconnected with
AUTH_FAILED, but if radiusplugin client-connect function returns 0 and
script returns 1, client would constantly send PUSH_REQUESTs and
nothing more.
It can be fixed running client-connect script before plugin's
client-connect. Patch included."
Here is a patch:
*** openvpn-2.2.1/multi_orig.c 2011-06-24 10:13:39.000000000 +0400
--- openvpn-2.2.1/multi.c 2011-11-29 19:15:42.072414064 +0400
***************
*** 1506,1532 ****
/*
* Select a virtual address from either --ifconfig-push in
--client-config-dir file
* or --ifconfig-pool.
*/
multi_select_virtual_addr (m, mi);
/* do --client-connect setenvs */
multi_client_connect_setenv (m, mi);
#ifdef ENABLE_PLUGIN
/*
* Call client-connect plug-in.
*/
/* deprecated callback, use a file for passing back return info */
! if (plugin_defined (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT))
{
struct argv argv = argv_new ();
const char *dc_file = create_temp_file
(mi->context.options.tmp_dir, "cc", &gc);
if( !dc_file ) {
cc_succeeded = false;
goto script_depr_failed;
}
argv_printf (&argv, "%s", dc_file);
--- 1506,1574 ----
/*
* Select a virtual address from either --ifconfig-push in
--client-config-dir file
* or --ifconfig-pool.
*/
multi_select_virtual_addr (m, mi);
/* do --client-connect setenvs */
multi_client_connect_setenv (m, mi);
+ /*
+ * Run --client-connect script.
+ */
+ if (mi->context.options.client_connect_script)
+ {
+ struct argv argv = argv_new ();
+ const char *dc_file = NULL;
+
+ setenv_str (mi->context.c2.es, "script_type", "client-connect");
+
+ dc_file = create_temp_file (mi->context.options.tmp_dir, "cc", &gc);
+ if( !dc_file ) {
+ cc_succeeded = false;
+ goto script_failed;
+ }
+
+ argv_printf (&argv, "%sc %s",
+ mi->context.options.client_connect_script,
+ dc_file);
+
+ if (openvpn_run_script (&argv, mi->context.c2.es, 0,
"--client-connect"))
+ {
+ multi_client_connect_post (m, mi, dc_file,
option_permissions_mask, &option_types_found);
+ ++cc_succeeded_count;
+ }
+ else
+ cc_succeeded = false;
+ script_failed:
+ argv_reset (&argv);
+ }
+
+ /*
+ * Check for client-connect script left by management interface client
+ */
+ #ifdef MANAGEMENT_DEF_AUTH
+ if (cc_succeeded && mi->cc_config)
+ {
+ multi_client_connect_mda (m, mi, mi->cc_config,
option_permissions_mask, &option_types_found);
+ ++cc_succeeded_count;
+ }
+ #endif
+
#ifdef ENABLE_PLUGIN
/*
* Call client-connect plug-in.
*/
/* deprecated callback, use a file for passing back return info */
! if (plugin_defined (mi->context.plugins,
OPENVPN_PLUGIN_CLIENT_CONNECT) && cc_succeeded)
{
struct argv argv = argv_new ();
const char *dc_file = create_temp_file
(mi->context.options.tmp_dir, "cc", &gc);
if( !dc_file ) {
cc_succeeded = false;
goto script_depr_failed;
}
argv_printf (&argv, "%s", dc_file);
***************
*** 1538,1558 ****
else
{
multi_client_connect_post (m, mi, dc_file,
option_permissions_mask, &option_types_found);
++cc_succeeded_count;
}
script_depr_failed:
argv_reset (&argv);
}
/* V2 callback, use a plugin_return struct for passing back
return info */
! if (plugin_defined (mi->context.plugins,
OPENVPN_PLUGIN_CLIENT_CONNECT_V2))
{
struct plugin_return pr;
plugin_return_init (&pr);
if (plugin_call (mi->context.plugins,
OPENVPN_PLUGIN_CLIENT_CONNECT_V2, NULL, &pr, mi->context.c2.es) !=
OPENVPN_PLUGIN_FUNC_SUCCESS)
{
msg (M_WARN, "WARNING: client-connect-v2 plugin call failed");
cc_succeeded = false;
}
--- 1580,1600 ----
else
{
multi_client_connect_post (m, mi, dc_file,
option_permissions_mask, &option_types_found);
++cc_succeeded_count;
}
script_depr_failed:
argv_reset (&argv);
}
/* V2 callback, use a plugin_return struct for passing back
return info */
! if (plugin_defined (mi->context.plugins,
OPENVPN_PLUGIN_CLIENT_CONNECT_V2) && cc_succeeded)
{
struct plugin_return pr;
plugin_return_init (&pr);
if (plugin_call (mi->context.plugins,
OPENVPN_PLUGIN_CLIENT_CONNECT_V2, NULL, &pr, mi->context.c2.es) !=
OPENVPN_PLUGIN_FUNC_SUCCESS)
{
msg (M_WARN, "WARNING: client-connect-v2 plugin call failed");
cc_succeeded = false;
}
***************
*** 1560,1621 ****
{
multi_client_connect_post_plugin (m, mi, &pr,
option_permissions_mask, &option_types_found);
++cc_succeeded_count;
}
plugin_return_free (&pr);
}
#endif
/*
- * Run --client-connect script.
- */
- if (mi->context.options.client_connect_script && cc_succeeded)
- {
- struct argv argv = argv_new ();
- const char *dc_file = NULL;
-
- setenv_str (mi->context.c2.es, "script_type", "client-connect");
-
- dc_file = create_temp_file (mi->context.options.tmp_dir, "cc", &gc);
- if( !dc_file ) {
- cc_succeeded = false;
- goto script_failed;
- }
-
- argv_printf (&argv, "%sc %s",
- mi->context.options.client_connect_script,
- dc_file);
-
- if (openvpn_run_script (&argv, mi->context.c2.es, 0,
"--client-connect"))
- {
- multi_client_connect_post (m, mi, dc_file,
option_permissions_mask, &option_types_found);
- ++cc_succeeded_count;
- }
- else
- cc_succeeded = false;
- script_failed:
- argv_reset (&argv);
- }
-
- /*
- * Check for client-connect script left by management interface client
- */
- #ifdef MANAGEMENT_DEF_AUTH
- if (cc_succeeded && mi->cc_config)
- {
- multi_client_connect_mda (m, mi, mi->cc_config,
option_permissions_mask, &option_types_found);
- ++cc_succeeded_count;
- }
- #endif
-
- /*
* Check for "disable" directive in client-config-dir file
* or config file generated by --client-connect script.
*/
if (mi->context.options.disable)
{
msg (D_MULTI_ERRORS, "MULTI: client has been rejected due to
'disable' directive");
cc_succeeded = false;
}
if (cc_succeeded)
--- 1602,1621 ----
2011/11/29 ValdikSS <address@hidden>:
> Hello!
> Client cannot be rejected correctly if radiusplugin is used. I'm using
> radiusplugin only for accounting client-connect script to add
> 'disable' parameter to the client.
> Openvpn server logs:
> MULTI: client has been rejected due to 'disable' directive
>
> but the client doesn't get reject from server and tries to perform
> PUSH-REQUEST constantly.
>
> _______________________________________________
> Radiusplugin-users mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/radiusplugin-users