rlm_sql: processing radcheck & radgroupcheck

Milan Holub holub at thenet.ch
Thu Apr 12 12:00:26 CEST 2007

Hi all,

I'm wondering about procedure of precessing radcheck&radgroupcheck
database tables. On http://wiki.freeradius.org/Rlm_sql we can read:

Group processing then begins if any of the following conditions are met:
    * The user IS NOT found in radcheck
    * The user IS found in radcheck, but the check items don't match 

Ok, the first point I can imagine that if the user is not found we still
can accept the "generic" user and give him some reply attributes based
on further group processing.

But the 2nd point I do not understand. Few lines below on wiki we can
> For any fairly complex setup, it is likely that most of the actual
> processing will be done in the groups. In these cases, the user entry in
> radcheck will be of limited use except for things like setting the
> user's password.

In fact in my case(I believe in almost all of the cases) we DO check
users against their passwords. If this check fails we should reject the
user else we give him reply attributes based on group membership and
accept the request.

Thus my question is: why to continue in group processing when the check
items(password,...) in radcheck do not match? This leads to accepting
users giving valid username but incorrect password...

Here is my patch which enables read_groups option and targets the issue
above(rejects user immediately if it's found that the radcheck failed):

Index: src/modules/rlm_sql/rlm_sql.c
RCS file: /source/radiusd/src/modules/rlm_sql/rlm_sql.c,v
retrieving revision 1.165
diff -u -r1.165 rlm_sql.c
--- src/modules/rlm_sql/rlm_sql.c       5 Apr 2007 10:52:37 -0000       1.165
+++ src/modules/rlm_sql/rlm_sql.c       12 Apr 2007 09:54:34 -0000
@@ -57,6 +57,8 @@
         offsetof(SQL_CONFIG,tracefile), NULL, SQLTRACEFILE},
        {"readclients", PW_TYPE_BOOLEAN,
         offsetof(SQL_CONFIG,do_clients), NULL, "no"},
+       {"read_groups", PW_TYPE_BOOLEAN,
+        offsetof(SQL_CONFIG,read_groups), NULL, "yes"},
        {"deletestalesessions", PW_TYPE_BOOLEAN,
         offsetof(SQL_CONFIG,deletestalesessions), NULL, "yes"},
        {"num_sql_socks", PW_TYPE_INTEGER,
@@ -638,6 +640,11 @@
                         *      Only do this if *some* check pairs were returned
+                       DEBUG2("rlm_sql (%s):  check items", inst->config->xlat_name);
+                       vp_listdebug(check_tmp);
+                       DEBUG2("rlm_sql (%s):  items found in packet", inst->config->xlat_name);
+                       vp_listdebug(request->packet->vps);
                        if (paircompare(request, request->packet->vps, check_tmp, &request->reply->vps) == 0) {
                                found = 1;
                                DEBUG2("rlm_sql (%s): User found in group %s",
@@ -960,6 +967,11 @@
                                dofallthrough = fallthrough(reply_tmp);
                        pairxlatmove(request, &request->reply->vps, &reply_tmp);
                        pairxlatmove(request, &request->config_items, &check_tmp);
+               } else {
+                       /*
+                        *      check items did not match; do not process groups; return REJECT immediately
+                        */
+                       return RLM_MODULE_REJECT;

Hope this helps someone.

Milan Holub
holub (at) thenet (dot) ch

 TheNet-Internet Services AG,
 im Bernertechnopark, Morgenstr. 129
 CH-3018, Bern, Switzerland
 031 998 4333, Fax 031 998 4330

More information about the Freeradius-Users mailing list