On May 19, 2020, at 3:38 AM, Charly <netflow@geosciences.ensmp.fr> wrote:
- i have local users stored in SQL database - i have LDAP users - in SQL database, i store Cisco-AVPair values for both of them
That's fine.
The SQL module doesn't process the radreply when user is not found in the radcheck table (=> LDAP users)
That's how the SQL module is defined to work... see https://wiki.freeradius.org/modules/Rlm_sql You can't just put random SQL queries into the server and expect them to re-implement the entire SQL module. What you need to do is to re-phrase your problem: if user is in ldap then look user up in SQL with a fixed name else look user up in SQL with their user name This is relatively simple. If you're not using realms / 802.1X, you can do: authorize { ... ldap if (ok) { update request { Stripped-User-Name := "LDAP" } } sql ... And then edit the file mods-config/sql/main/mysql/queries.conf, to set: sql_user_name = "%{Stripped-User-Name}:-%{%{User-Name}}" This will cause the SQL module to use Stripped-User-Name if it exists, otherwise it uses User-Name. And then the LDAP users can have a default entry in SQL, with user name "LDAP". You can, of course, change that to anything else you want. Alan DeKok.