Send Access-Reject when user does not match any group?

Bogdan Enache enachebogdan at gmx.com
Mon Jan 14 14:43:36 CET 2013


Hi,

Pe 14.01.2013 15:17, A.L.M.Buxey at lboro.ac.uk a scris:
> Hi,
>
>> As you can see, it matches the rule in "users" first, and then the
>> group named "login" in MySQL. There is no other match.
> because thats the order that you have them run in.... how can the users
> file know anything about the groups if you are doing the groups AFTER
> the users file?  change the order or put some other configuratin into
> place - eg use unlang after the sql section to check for group and if one
> doesnt exist them reject - man unlang
>

I already tried that, I put "sql" before "files" in "authorize" section 
in both "default" and "inner-tunnel":

[sql]   expand: %{User-Name} -> bogdan.enache
[sql] sql_set_user escaped user --> 'bogdan.enache'
rlm_sql (sql): Reserving sql socket id: 5
[sql]   expand: SELECT id, username, attribute, value, op FROM 
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER 
BY id -> SELECT id, username, attribute, value, op           FROM 
radcheck           WHERE username = 'bogdan.enache'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op FROM 
radreply           WHERE username = '%{SQL-User-Name}'           ORDER 
BY id -> SELECT id, username, attribute, value, op           FROM 
radreply           WHERE username = 'bogdan.enache'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT 
groupname           FROM radusergroup           WHERE username = 
'bogdan.enache' ORDER BY priority
[sql]   expand: SELECT id, groupname, attribute,           Value, 
op           FROM radgroupcheck           WHERE groupname = 
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, 
attribute,           Value, op           FROM radgroupcheck           
WHERE groupname = 'login'           ORDER BY id
[sql] User found in group login
[sql]   expand: SELECT id, groupname, attribute,           value, 
op           FROM radgroupreply           WHERE groupname = 
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, 
attribute,           value, op           FROM radgroupreply           
WHERE groupname = 'login'           ORDER BY id
rlm_sql (sql): Released sql socket id: 5
++[sql] returns ok
[files] users: Matched entry DEFAULT at line 209
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user

Still rejecting.

Thank you.



More information about the Freeradius-Users mailing list