Hey, Peter,
How/Where is this DEFAULT user checked in SQL? I was of the impression that DEFAULT data didnt work in SQL. (It it does I obviously am missing something.)
We do a lot of default processing here. We're using it as a catchall default policy for users (ie unless otherwise specified beforehand, users are, by default, allowed access these resources and denied access to these resources). Anyway, check out rlm_sql.c line 1018. This is where the default profile processing begins based on the default_user_profile configuration item in the sql {} section. These section also processes the User-Profile attribute if its present instead of the default profile.
As you can see a request with NULL username is quite valid for me, and may be proxied or accepted based (from inside the sql procedure) based on information in the request other than username/password and should therefore go through the normal sql queries.
Oh, absolutely. There are many instances where a User-Name attribute may not/need not be present that are completely valid and should be handled by the sql module. --Mike