Perl Module

The perl module processes attributes through a Perl interpreter.

Please see the raddb/mods-config/perl/example.pl sample.
Please see http://www.perl.org/docs.html for more information about the Perl language.

Uncomment any func_* configuration items below which are included in your module. If the module is called for a section which does not have a function defined, it will return noop.

Configuration Settings

The following hashes are given to the module and filled with value-pairs (Attribute names and values)

Value	Description
%RAD_CONFIG	Config items (was %RAD_CHECK).
%RAD_REQUEST	Attributes from the request.
%RAD_REPLY	Attributes for the reply.
%RAD_REQUEST_PROXY	Attributes from the proxied request.
%RAD_REQUEST_PROXY_REPLY	Attributes from the proxy reply.

Value

Description

%RAD_CONFIG

Config items (was %RAD_CHECK).

%RAD_REQUEST

Attributes from the request.

%RAD_REPLY

Attributes for the reply.

%RAD_REQUEST_PROXY

Attributes from the proxied request.

%RAD_REQUEST_PROXY_REPLY

Attributes from the proxy reply.

The interface between FreeRADIUS and Perl is mostly strings.

Attributes of type string are copied to Perl as-is. They are not escaped or interpreted.

Attributes of type octets are copied to Perl as-is. They are not escaped or interpreted.

All other attributes are printed, and passed to Perl as a string value.

IP addresses are sent as strings, e.g. "192.0.2.25", and not as a 4-byte binary value. The same applies to other attribute data types.

The return codes from functions in the perl_script are passed directly back to the server. These codes are defined in mods-config/example.pl

filename: Module to load functions from.

The Perl script to execute when the module is called. This is very similar to using the exec module, but it is persistent, and therefore faster.

perl_flags: Options which are passed to the Perl interpreter.

These are (mostly) the same options as are passed to the perl command line.

The most useful flag is -T. This sets tainting on. Using this flag makes it impossible to leverage bad User-Names into local command execution.

Delete this next line to allow people to pwn your FreeRADIUS server.

List of functions in the module to call. Uncomment and change if you want to use function names other than the defaults.

func_start_accounting
func_stop_accounting: Uncomment the following lines if you wish to use separate functions for Start and Stop accounting packets. In that case, the func_accounting function is not called.
config { … }: You can define configuration items (and nested sub-sections) in perl config { … } section. These items will be accessible in the perl script through %RAD_PERLCONF hash.

For instance:

$RAD_PERLCONF{'name'}
$RAD_PERLCONF{'sub-config'}->{'name'}

Default Configuration

perl {
	filename = ${modconfdir}/${.:instance}/example.pl
	perl_flags = "-T"
#	func_authenticate = authenticate
#	func_authorize = authorize
#	func_preacct = preacct
#	func_accounting = accounting
#	func_pre_proxy = pre_proxy
#	func_post_proxy = post_proxy
#	func_post_auth = post_auth
#	func_detach = detach
#	func_start_accounting = accounting_start
#	func_stop_accounting = accounting_stop
#	config {
#		name = "value"
#		sub-config {
#			name = "value of name from config.sub-config"
#		}
#	}
}