On 24/10/2013 00:25, Arran Cudbard-Bell wrote:
On 23 Oct 2013, at 13:28, Philippe MARASSE <philippe.marasse@ch-poitiers.fr> wrote:
Le 23/10/2013 14:12, Arran Cudbard-Bell a écrit :
(2) sql : expand: "%{User-Name}" -> '002324609e3f' (2) sql : SQL-User-Name set to "002324609e3f" rlm_sql (sql): Reserved connection (4) (2) sql : expand: "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" -> 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = '002324609E3F' ORDER BY id' rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = '002324609E3F' ORDER BY id' (2) sql : expand: "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" -> 'SELECT groupname FROM radusergroup WHERE username = '002324609E3F' ORDER BY priority' rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = '002324609E3F' ORDER BY priority' rlm_sql (sql): Released connection (4) (2) [sql] = noop It’s consistent with the users file, which also returns noop if not entries match.
Things like rlm_ldap are different because you’re looking for a specific object in the directory, so it’s ok to return notfound.
I guess both rlm_files and rlm_sql could return notfound if no key matched, and noop if no entry matched. Do people think this would be a useful distinction?
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for your answer. Maybe I was mistaken to rely on sql return code in the authorize section ?
If it's consistent with other modules, I'd rather modify my authenticate section to do a sql query in order to check the presence of the user, shouldn't I ? Um, nope. That’s not authentication… Indeed. I've forgotten to mention that for the moment our network switches do MAC "Autentication", where username = password = mac-address so in order to authorize access to the right VLAN, a simple check of user existence is enough.
I’ve modified the behaviour to return notfound if the user *really* wasn’t found, as in there’s mention of the user at all, and there’s no default user, and there’s no profile user.
If the user was found, but check items prevented the entry being used rlm_sql now returns NOOP, else if an entry matched it now returns OK.
Also modified group processing a bit, so you can disable the check and reply queries if you want.
Really rlm_sql should also return updated if it added any control or reply items, i’ll have a look at that tomorrow if I find some spare time.
If the mean time i’d appreciate it if you could test v3.0.x or master to check behaviour is as you expect. Great :-), I'll test that mid next week as I'm actually on holidays.
Rdgs.