The Scheme procedure used for authentication must be declared as follows:
The function return value determines whether the authentication will
succeed. The function must return either a boolean value or a pair.
The return of #t
causes authentication to succeed. The return
of #f
causes it to fail.
If the function wishes to add something to the reply A/V pairs, it should return a pair in the form:
(cons return-code list)
Where return-code is a boolean value of the same meaning as described above. The list is a list of A/V pairs to be added to the reply list. For example, the following function will always deny the authentication, returning appropriate message to the user:
(define (decline-auth request-list check-list reply-list) (cons #f (list (cons "Reply-Message" "\r\nSorry, you are not allowed to log in\r\n"))))
As a more constructive example, let's consider a function that allows the authentication only if a user name is found in its internal database.
(define staff-data (list (list "scheme" (cons (list (cons "NAS-IP-Address" "127.0.0.1")) (list (cons "Framed-MTU" "8096"))) (cons '() (list (cons "Framed-MTU" "256")))))) (define (auth req check reply) (let* ((username (assoc "User-Name" req)) (reqlist (assoc username req)) (reply-list '())) (if username (let ((user-data (assoc (cdr username) staff-data))) (rad-log L_INFO (format #f "~A" user-data)) (if user-data (call-with-current-continuation (lambda (xx) (for-each (lambda (pair) (cond ((avl-match? req (car pair)) (set! reply-list (avl-merge reply-list (cdr pair))) (xx #t)))) (cdr user-data)) #f))))) (cons #t reply-list)))
To trigger the invocation of the Scheme authentication function, assign
its name to Scheme-Procedure
attribute in RHS of a
corresponding `raddb/users' profile. E.g.:
DEFAULT Auth-Type = SQL Scheme-Procedure = "auth"
Go to the first, previous, next, last section, table of contents.