There is a risk with this patch of running queries where the WHERE clause becomes WHERE UserName = ''... Which, I guess isn't really all that bad... I'm not sure I have any real problem with it, but we'll probably want to make the default sql_user_name configuration item %{User-Name:- DEFAULT} if we make the change this way. --Mike On Sep 21, 2006, at 8:20 AM, Peter Nixon wrote:
As you can see a request with NULL username is quite valid for me, and may be proxied or accepted based (from inside the sql procedure) based on information in the request other than username/password and should therefore go through the normal sql queries.
Oh, absolutely. There are many instances where a User-Name attribute may not/need not be present that are completely valid and should be handled by the sql module.
Can someone please test the attached patch before I commit it. It works ok for us with Postgresql but its possible that it may cause suprises for other database types.
Cheers
--
Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc <nullsqluser.patch> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ devel.html