Hi all, I'm wondering about procedure of precessing radcheck&radgroupcheck database tables. On http://wiki.freeradius.org/Rlm_sql we can read: Group processing then begins if any of the following conditions are met: * The user IS NOT found in radcheck * The user IS found in radcheck, but the check items don't match ... Ok, the first point I can imagine that if the user is not found we still can accept the "generic" user and give him some reply attributes based on further group processing. But the 2nd point I do not understand. Few lines below on wiki we can read:
For any fairly complex setup, it is likely that most of the actual processing will be done in the groups. In these cases, the user entry in radcheck will be of limited use except for things like setting the user's password.
In fact in my case(I believe in almost all of the cases) we DO check users against their passwords. If this check fails we should reject the user else we give him reply attributes based on group membership and accept the request. Thus my question is: why to continue in group processing when the check items(password,...) in radcheck do not match? This leads to accepting users giving valid username but incorrect password... Here is my patch which enables read_groups option and targets the issue above(rejects user immediately if it's found that the radcheck failed): Index: src/modules/rlm_sql/rlm_sql.c =================================================================== RCS file: /source/radiusd/src/modules/rlm_sql/rlm_sql.c,v retrieving revision 1.165 diff -u -r1.165 rlm_sql.c --- src/modules/rlm_sql/rlm_sql.c 5 Apr 2007 10:52:37 -0000 1.165 +++ src/modules/rlm_sql/rlm_sql.c 12 Apr 2007 09:54:34 -0000 @@ -57,6 +57,8 @@ offsetof(SQL_CONFIG,tracefile), NULL, SQLTRACEFILE}, {"readclients", PW_TYPE_BOOLEAN, offsetof(SQL_CONFIG,do_clients), NULL, "no"}, + {"read_groups", PW_TYPE_BOOLEAN, + offsetof(SQL_CONFIG,read_groups), NULL, "yes"}, {"deletestalesessions", PW_TYPE_BOOLEAN, offsetof(SQL_CONFIG,deletestalesessions), NULL, "yes"}, {"num_sql_socks", PW_TYPE_INTEGER, @@ -638,6 +640,11 @@ /* * Only do this if *some* check pairs were returned */ + DEBUG2("rlm_sql (%s): check items", inst->config->xlat_name); + vp_listdebug(check_tmp); + DEBUG2("rlm_sql (%s): items found in packet", inst->config->xlat_name); + vp_listdebug(request->packet->vps); + if (paircompare(request, request->packet->vps, check_tmp, &request->reply->vps) == 0) { found = 1; DEBUG2("rlm_sql (%s): User found in group %s", @@ -960,6 +967,11 @@ dofallthrough = fallthrough(reply_tmp); pairxlatmove(request, &request->reply->vps, &reply_tmp); pairxlatmove(request, &request->config_items, &check_tmp); + } else { + /* + * check items did not match; do not process groups; return REJECT immediately + */ + return RLM_MODULE_REJECT; } } Hope this helps someone. Milan Holub holub (at) thenet (dot) ch -------------------------------------- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch --------------------------------------