Peter Nixon wrote:
Alan. Can you help out here? From memory I am seeing the same thing in cvs head. I ended up commenting out the username part of the query as I don't actually do anything based on username in my system. It definitely needs to be %{SQL-User-Name} though, as I was getting escape characters as the username from some users and it was blowing up the sql queries. (HUGE GAPPING SECURITY HOLE)
Is there something special we need to do in rlm_sqlippool to get access to %{SQL-User-Name}?
Yes. Call sql_set_user(). Patch is attached. Also, the sqlippool_expand() function could be done better. The use of single-character values is awkward. Instead, it should register an xlat() function, to allow things like %{sqlippool:Pool-Name}. Hmm... that could be in the server core, come to think of it. Alan DeKok.