SV: Make sense of SQL Huntgroup HOWTO?

Matthew Newton mcn4 at leicester.ac.uk
Fri Dec 18 22:27:34 CET 2015 

On Fri, Dec 18, 2015 at 08:55:20PM +0000, Joel Bergmark wrote:
> This is what I ran:
> 
>         update request {
>                 Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}"
>         }
>         if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) {
>                 reject
>         }


> rad_recv: Access-Request packet from host 46.23X.XX.170 port 1645, id=118, length=66
>         User-Name = "bl"
...

>         expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} -> Noc
> ++[request] returns notfound
> ++? if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline"))
> ?? Evaluating (Huntgroup-Name == "2ndline") -> FALSE

Huntgroup-Name here is "Noc", which is why it didn't match.

> ?? Skipping (SQL-Group != "2ndline")

...so it short-circuited and didn't even bother checking SQL-Group
- there's no point.

> ++? if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) -> FALSE

So didn't reject.

> I expected to get reject on this login, but thats not happening, so I clearly don't understand all elements in this.
> 
> Or even better to allow 3rdline users to login to everything and 2ndline users to login to some equipment.

So your users are in two groups, namely "2ndline" or "3rdline"?

In which case you are only interested in the "2ndline" case if
"3rdline" can access everything.

So you can start with

  if (SQL-Group == "2ndline") {

  ...

  }

which will skip the case the SQL-Group is 3rdline (or anything
else) in the ...

If you've got other groups you might want to make that 

  if (SQL-Group != "3rdline") {

instead, to match all users that are *not* in 3rdline.



Then once you've established users in 2ndline add extra stuff to
reject on certain equipment, e.g.

  if (Huntgroup-Name != "2ndline") {
    reject
  }

or

  if (Huntgroup-Name == "3rdline") {
    reject
  }


Put together this could be

  if (SQL-Group == "2ndline") {
    if (Huntgroup-Name != "2ndline") {
      reject
    }
  }


which you can combine to come up with what was before (or
similar):

  if ((SQL-Group == "2ndline") && (Huntgroup-Name != "2ndline")) {
    reject
  }


But read the debug output - just find the bit where the if() is
tested, which will tell you what it's testing and therefore what
is or isn't matching.

Once you've done that you could for example join it all together
into a policy that ends up something like

# only allow 2ndline to 2ndline kit
  if (SQL-Group == "2ndline") {
    if (Huntgroup-Name != "2ndline") {
      reject
    }
  }
# allow 3rdline to only access 3rdline and 2ndline kit
  elsif (SQL-Group == "3rdline") {
    if (Huntgroup-Name != "2ndline" && Huntgroup-Name != "3rdline") {
      reject
    }
  }
# else user can by default access everything except "restricted"
  else {
    if (Huntgroup-Name == "restricted") {
      reject
    }
  }

Does that help?

Matthew



-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list