[radius] Freeradius/MySql problem

Paul Hampson Paul.Hampson at PObox.com
Sun Jul 3 04:51:52 CEST 2005


On Sat, Jul 02, 2005 at 10:42:44AM -0700, Radius wrote:
> OK, let me try this way, when our wholesale provider receives a realm, 
> they know where
> to send the request.
> 
> If the user sends RADIUS at kingmanaz.net or radius at kingmanaz.net
> 
> our radius regardless if I have lower_user before/after/no
> 
> They will be authenticated either way.

> If we force it lower on our end, does not force lower on their end.

> It's a mess. They said only this month they were going to issue credits
> and that I needed to get my end to deny UPPER case logins.

> I set the lower_user lower and lower_pass to no and a user will
> all RADOUS at kingmanaz.net will be authenticated. I guess mysql
> doesn't care if it's upper or lower.

For what you want to do, you need to set lower_user to 'no',
and check your authorize_check_query to be sure you're using
the one that has "STRCMP(Username, '%{SQL-User-Name}')" and not the
one that has "Username = '%{SQL-User-Name}'".

ie (this is in 1.0.4, and doesn't work with mysql 4 onwards.)

	# Use these for case sensitive usernames. WARNING: Slower queries!
	authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE STRCMP(Username, '%{SQL-User-Name}') = 0 ORDER BY id"
	authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE STRCMP(Username, '%{SQL-User-Name}') = 0 ORDER BY id"

#	authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"
#	authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"

rather than the default.

	# Use these for case sensitive usernames. WARNING: Slower queries!
#	authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE STRCMP(Username, '%{SQL-User-Name}') = 0 ORDER BY id"
#	authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE STRCMP(Username, '%{SQL-User-Name}') = 0 ORDER BY id"

	authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"
	authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"


(That's only moving the #s, not changing the query itself.)

This is the joy of mySQL, it's not case-sensitive for string
comparisons by default. ^_^

Alternatively, change the radcheck table's UserName column to be 'BINARY', see
http://dev.mysql.com/doc/mysql/en/case-sensitivity.html for details. (Although
that's mySQL 4.1. If you're using a packaged mySQL from a distribution, check
A.5.1 in the included manual for more specific details.)

In fact, I'd be interested to know if
	authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE BINARY Username = '%{SQL-User-Name}' ORDER BY id"
	authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE BINARY Username = '%{SQL-User-Name}' ORDER BY id"
fixes it, and if it works for mySQL < 4, because it's more future-proofed
than STRCMP, which has already changed semantics.

-- 
Paul "TBBle" Hampson, on an alternate email client.



More information about the Freeradius-Users mailing list