Hello Alan, sorry to bother you. I did one last test and built new binary and revert few commits in 3.0.21 (attached to this email) in the rlm_sql modules and now freeradius take the safe_characters values from sql_degraded{...} section and not the sql {...} section anymore. (like it worked in freeradius 3.0.13) My skills in C are not good enough to find the issue but it looks that the "sql_escape_func" use the main sql section. Regards Fabrice Le 20-06-17 à 12 h 10, Alan DeKok a écrit :
On Jun 17, 2020, at 11:11 AM, Fabrice Durand <fdurand@inverse.ca> wrote:
I am not sure it's the case, the only place i defined safe_characters is in mods-enabled/sql OK.
I attached 2 debug outputs and the sql files used , the one with safe_characters defined in the sql {...} section (who works) and the other one with safe_characters defined in sql sql_degraded{...} (that doesn't works)
For me it looks that even if you define safe_characters in another section than the sql {...} one the code doesn't use it and use the one from the sql {...} section instead. Except that the code *always* looks at definition of safe_characters in the current configuration.
There's nothing in the rlm_sql source which says "search for the base SQL module and use that".
I did exactly the same tests on the FreeRADIUS version 3.0.13 (i am using another path for the configuration files than /etc/radiusd, so the files didn't changed) and it takes the safe_characters defined in the sql_degraded section.
Btw setting the safe_characters in sql{...} fixed my issue, but it looks to be a regression. I just took the current v3.0.x head, and created a "sql sql2" module, which uses MySQL. The main "sql" module is using sqlite. I edited the safe_characters definition in mods-config, and I see:
$ radiusd -X | grep safe safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" safe_characters = "YYY@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" safe_characters = "XXX@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
The first one is from rlm_expr. The second is from the sqlite definition that I edited. The third one is from the MySQL definition that I edited.
And from the debug output you posted:
# Loading module "sql_degraded" from file /usr/local/pf/raddb/mods-enabled/sql sql sql_degraded { driver = "rlm_sql_mysql" server = "127.0.0.1" port = 3306 login = "pf" password = <<< secret >>> radius_db = "pf" read_groups = yes read_profiles = yes read_clients = no delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id,nasname,shortname,type,secret FROM nas" group_membership_query = "" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /(),'"
So that seems to work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Fabrice Durand fdurand@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)