106 lines
3.2 KiB
Plaintext
106 lines
3.2 KiB
Plaintext
#
|
|
# Sample FreeRadius rlm_exec wrapper configuration to perform OTP authentication
|
|
# against privacyidea without rtl_perl module (unavailable on OS X 10.9 Server)
|
|
#
|
|
# Version 1.0, latest version, documentation and bugtracker available at:
|
|
# https://gitlab.lindenaar.net/scripts/privacyidea-checkotp
|
|
#
|
|
# Copyleft (c) 2015 by Frederik Lindenaar
|
|
#
|
|
|
|
#
|
|
# Return value of the program run determines the result of the exec instance
|
|
# call (See doc/configurable_failover for details) as follows:
|
|
#
|
|
# < 0 : fail the module failed
|
|
# = 0 : ok the module succeeded
|
|
# = 1 : reject the module rejected the user
|
|
# = 2 : fail the module failed
|
|
# = 3 : ok the module succeeded
|
|
# = 4 : handled the module has done everything to handle the request
|
|
# = 5 : invalid the user's configuration entry was invalid
|
|
# = 6 : userlock the user was locked out
|
|
# = 7 : notfound the user was not found
|
|
# = 8 : noop the module did nothing
|
|
# = 9 : updated the module updated information in the request
|
|
# > 9 : fail the module failed
|
|
#
|
|
|
|
exec privacyidea {
|
|
#
|
|
# Wait for the program to finish.
|
|
#
|
|
# If we do NOT wait, then the program is "fire and
|
|
# forget", and any output attributes from it are ignored.
|
|
#
|
|
# If we are looking for the program to output
|
|
# attributes, and want to add those attributes to the
|
|
# request, then we MUST wait for the program to
|
|
# finish, and therefore set 'wait=yes'
|
|
#
|
|
# allowed values: {no, yes}
|
|
wait = yes
|
|
|
|
#
|
|
# The name of the program to execute, and it's
|
|
# arguments. Dynamic translation is done on this
|
|
# field, so things like the following example will
|
|
# work.
|
|
#
|
|
program = "[WRAPPERSCRIPT_PATH]/privacyidea-checkotp [PRIVACYIDEA_URL]"
|
|
|
|
#
|
|
# The attributes which are placed into the
|
|
# environment variables for the program.
|
|
#
|
|
# Allowed values are:
|
|
#
|
|
# request attributes from the request
|
|
# config attributes from the configuration items list
|
|
# reply attributes from the reply
|
|
# proxy-request attributes from the proxy request
|
|
# proxy-reply attributes from the proxy reply
|
|
#
|
|
# Note that some attributes may not exist at some
|
|
# stages. e.g. There may be no proxy-reply
|
|
# attributes if this module is used in the
|
|
# 'authorize' section.
|
|
#
|
|
input_pairs = request
|
|
|
|
#
|
|
# Where to place the output attributes (if any) from
|
|
# the executed program. The values allowed, and the
|
|
# restrictions as to availability, are the same as
|
|
# for the input_pairs.
|
|
#
|
|
output_pairs =
|
|
|
|
#
|
|
# When to execute the program. If the packet
|
|
# type does NOT match what's listed here, then
|
|
# the module does NOT execute the program.
|
|
#
|
|
# For a list of allowed packet types, see
|
|
# the 'dictionary' file, and look for VALUEs
|
|
# of the Packet-Type attribute.
|
|
#
|
|
# By default, the module executes on ANY packet.
|
|
# Un-comment out the following line to tell the
|
|
# module to execute only if an Access-Accept is
|
|
# being sent to the NAS.
|
|
#
|
|
packet_type = Access-Request
|
|
|
|
#
|
|
# Should we escape the environment variables?
|
|
#
|
|
# If this is set, all the RADIUS attributes
|
|
# are capitalised and dashes replaced with
|
|
# underscores. Also, RADIUS values are surrounded
|
|
# with double-quotes.
|
|
#
|
|
# That is to say: User-Name=BobUser => USER_NAME="BobUser"
|
|
shell_escape = yes
|
|
}
|