sql.conf problem

Norbert Wegener nw at sbs.de
Tue Oct 24 15:59:38 CEST 2006 

In a certain context I want to accept all incoming requests. FreeRADIUS 
is 1.1.3.
I hold the accounts in MySQL.

This is, what I have stored in the database for one account:

mysql> select * from usergroup where UserName='000000000009';
+---------+--------------+--------------+---------------------+---------------------+---------+
| id      | UserName     | GroupName    | loaddate            | 
validto             | konftyp |
+---------+--------------+--------------+---------------------+---------------------+---------+
| 1160351 | 000000000009 | sondergeraet | 2006-10-24 09:26:59 | 
2006-10-31 00:00:00 | NULL    |
+---------+--------------+--------------+---------------------+---------------------+---------+
1 row in set (0.00 sec)

mysql> select * from radcheck where UserName='000000000009';
+---------+--------------+--------------+----+----------+---------------------+
| id      | UserName     | Attribute    | op | Value    | 
validto             |
+---------+--------------+--------------+----+----------+---------------------+
| 1159463 | 000000000009 | Hint         | += | assignvl | 2006-10-31 
00:00:00 |
| 2512785 | 000000000009 | Auth-Type    | := | Accept   | 
NULL                |
| 2512786 | 000000000009 | Idle-Timeout | =  | 123      | 
NULL                |
+---------+--------------+--------------+----+----------+---------------------+
3 rows in set (0.00 sec)


mysql> select * from radreply where UserName='000000000009';
+----+--------------+--------------+----+-------+------------+--------------+---------+
| id | UserName     | Attribute    | op | Value | ra_nasname | 
ra_GroupName | validto |
+----+--------------+--------------+----+-------+------------+--------------+---------+
|  6 | 000000000009 | Idle-Timeout | =  | 123   | NULL       | 
NULL         | NULL    |
+----+--------------+--------------+----+-------+------------+--------------+---------+
1 row in set (0.00 sec)



authorize_check_query from sql.conf is:

    authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
          FROM ${authcheck_table} \
          WHERE Username = '%{SQL-User-Name}' and  ( radcheck.Attribute 
!='Hint' )  \
          ORDER BY id"



 radtest 000000000009 000b5d28f24x4 localhost 1812 testing123
Sending Access-Request of id 243 to 127.0.0.1 port 1812
        User-Name = "000000000009"
        User-Password = "000b5d28f24x4"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=243, length=20
rad_verify: Received Access-Reject packet from client 127.0.0.1 port 
1812 with invalid signature (err=2)!  (Shared secret is incorrect.)

Not the shared secret, the password is incorrect.
Nevertheless, I want to ignore this and assign the check-item 
Auth-Type:=Accept from radcheck.

radiusd -AX shows me:
...
  modcall[authorize]: module "files" returns notfound for request 0
radius_xlat:  '000000000009'
rlm_sql (sql): sql_set_user escaped user --> '000000000009'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM 
radcheck           WHERE Username = '000000000009' and  ( 
radcheck.Attribute !='Hint' )            ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  
FROM radgroupcheck,usergroup WHERE usergroup.UserName = '000000000009' 
AND usergroup.GroupName = radgroupcheck.GroupName  ORDER BY 
radgroupcheck.id'
radius_xlat:  ''
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  
FROM radgroupreply,usergroup WHERE ( usergroup.Username = '000000000009' 
AND usergroup.GroupName = radgroupreply.Value )         or    
(usergroup.UserName='000000000009'         and         
(radgroupreply.GroupName in (select type from nas where nasname = 
'255.255.255.255')         and radgroupreply.GroupName='Cisco'          
and radgroupreply.Attribute!='Tunnel-Private-Group-ID' )         
)         ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 3
rlm_sql:  check items
     Auth-Type := Accept
     Idle-Timeout = 123
     Hint == "assignvl"
^^^^^^^^^^^^^^ (enabled debugging in rlm_sql.c around line 850)

rlm_sql:  reply items
rlm_sql (sql): No matching entry in the database for request from user 
[000000000009]
  modcall[authorize]: module "sql" returns notfound for request 0

Why do I get a 'No matching entry in the database for request from user 
[000000000009]',
although the expanded authorize_check_query , copied from above  in 
mysql direct gives me the following:

mysql> SELECT id, UserName, Attribute, Value, op           FROM 
radcheck           WHERE Username = '000000000009' and  ( 
radcheck.Attribute !='Hint' )            ORDER BY id;
+---------+--------------+--------------+--------+----+
| id      | UserName     | Attribute    | Value  | op |
+---------+--------------+--------------+--------+----+
| 2512785 | 000000000009 | Auth-Type    | Accept | := |
| 2512786 | 000000000009 | Idle-Timeout | 123    | =  |
+---------+--------------+--------------+--------+----+
2 rows in set (0.00 sec)

Thanks
Norbert Wegener

More information about the Freeradius-Users mailing list