FreeRADIUS 3.0.12, Ubuntu 16.04 - Python module is unable to load

Alan DeKok aland at deployingradius.com
Mon Jul 3 13:03:58 CEST 2017 

On Jul 3, 2017, at 1:52 AM, Cuong Nguyen <cuong.nguyenduy at gmail.com> wrote:
> Let me explain what I try to do:
> 1. I'd want to limit a number of concurrent sessions a user is allowed. In
> LDAP, there is an attribute - MaxConnection - to indicate maximum
> concurrent sessions a user can have

  OK...

> 2. Since FreeRADIUS does not keep track of the number of sessions,

  Uh... what?

  FreeRADIUS writes session data to a database.  You can query the database from FreeRADIUS.  This is even documented with examples in the default configuration.

> my
> script will perform the following
> - POST-AUTH: For the user, get the number of sessions in MySQL, and get the
> MaxConnection from LDAP, then compare the two. If there are sessions >=
> MaxConnection --> Reject

  That's threelines of unlang:

	if ("%{sql:SELECT sessions...}" >= "%{ldap:get maxconnection}") {
		reject
	}

  The only "magic" here is writing the correct SQL select query, and writing the correct LDAP query to get MaxConnection for a user.

  And those two queries are just normal SQL / LDAP queries.  You can write them and test them in an SQL or LDAP tool, and then just copy them to FreeRADIUS.  Replace the actual user name with %{User-Name}, and you're good to go.

> - ACCOUTING: If it is Accounting-Start --> Record in MySQL, if
> Accounting-Interim --> Update in MySQL, if Accounting-Stop --> Delete in
> MySQL

  The default SQL module already does this.  It's documented as doing this.  There are tons of examples available.

  Why are you re-inventing this?

> Second, I did look at the LDAP module, but have no clue how to implement
> the logic I describe above. In my debug output above, I *did* include sql
> for the purpose of testing. In actual deployment, this will not be used
> (MySQL operations will be done by the script).
> 
> I even tried this in LDAP module in order to get the MaxConnection, which
> changes the 'request' list.
> 
> ldap {
>    # TESTING
>    request:Tmp-String-1            := 'MaxConnection'
> }

  What made you think that would work?  You're just trying random things in random places.  And, ignoring all of the available documentation.

> Any suggestion is appreciated.

  Read the documentation and examples.  Read the Wiki.  Look for "Simultaneous-Use", which does exactly this...

  Alan DeKok.

More information about the Freeradius-Users mailing list