I can't seem to make this work. I'm comparing some values in the post-auth section: if("(%{expr: %{check:Max-All-Session}-%{sql:select sum(acctsessiontime) from radacct where username='%{User-Name}'}})" < "(%{expr: %{sql:select unix_timestamp(str_to_date('%{check:Expiration}', '%%b %%d %%Y %%H:%%i:%%s'))+0}})") { update reply { Session-Timeout := "%{expr: %{check:Max-All-Session}-%{sql:select sum(acctsessiontime) from radacct where username='%{User-Name}'}}" } } else { update reply { Session-Timeout := "%{expr: (%{sql:select unix_timestamp(str_to_date('%{check:Expiration}', '%%b %%d %%Y %%H:%%i:%%s'))})}" } } The above code fails with a message (below) that says "(Right field is not a number at: (1371158700))". I tried adding a zero to force a number interpretation but this does nothing. I have checked every source I can find and I don't see anyhing that addresses this problem. Thoughts anyone? Bill rad_recv: Access-Request packet from host 127.0.0.1 port 59971, id=77, length=74 User-Name = "wrs" CHAP-Password = 0x4dab7bdecf6c70f078b77bfa11cebd490d NAS-IP-Address = 10.0.0.147 NAS-Port = 0 Message-Authenticator = 0xcf99944924652eda7706d17c69afca2c # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "wrs", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> wrs [sql] sql_set_user escaped user --> 'wrs' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wrs' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wrs' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'wrs' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok [expiration] Checking Expiration time: '13 Jun 2013 21:25:00' ++[expiration] returns ok ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop rlm_sqlcounter: Entering module authorize code WARNING: Please replace '%k' with '${key}' sqlcounter_expand: 'SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='%{User-Name}'' [noresetcounter] expand: SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='%{User-Name}' -> SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='wrs' WARNING: Please replace '%S' with '${sqlmod-inst}' sqlcounter_expand: '%{sql:SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='wrs'}' [noresetcounter] sql_xlat [noresetcounter] expand: %{User-Name} -> wrs [noresetcounter] sql_set_user escaped user --> 'wrs' [noresetcounter] expand: SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='wrs' -> SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='wrs' rlm_sql (sql): Reserving sql socket id: 2 [noresetcounter] sql_xlat finished rlm_sql (sql): Released sql socket id: 2 [noresetcounter] expand: %{sql:SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='wrs'} -> 12 rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user wrs, check_item=600, counter=12 rlm_sqlcounter: Sent Reply-Item for user wrs, Type=Session-Timeout, value=180 ++[noresetcounter] returns ok Found Auth-Type = CHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "wrs" with CHAP password [chap] Using clear text password "test123" for user wrs authentication. [chap] chap user wrs authenticated succesfully ++[chap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop ++? if ("(%{expr: %{check:Max-All-Session}-%{sql:select sum(acctsessiontime) from radacct where username='%{User-Name}'}})" < "(%{expr: %{sql:select unix_timestamp(str_to_date('%{check:Expiration}', '%%b %%d %%Y %%H:%%i:%%s'))+0}})") sql_xlat expand: %{User-Name} -> wrs sql_set_user escaped user --> 'wrs' expand: select sum(acctsessiontime) from radacct where username='%{User-Name}' -> select sum(acctsessiontime) from radacct where username='wrs' rlm_sql (sql): Reserving sql socket id: 1 sql_xlat finished rlm_sql (sql): Released sql socket id: 1 expand: %{check:Max-All-Session}-%{sql:select sum(acctsessiontime) from radacct where username='%{User-Name}'} -> 600-12 expand: (%{expr: %{check:Max-All-Session}-%{sql:select sum(acctsessiontime) from radacct where username='%{User-Name}'}}) -> (588) sql_xlat expand: %{User-Name} -> wrs sql_set_user escaped user --> 'wrs' expand: select unix_timestamp(str_to_date('%{check:Expiration}', '%%b %%d %%Y %%H:%%i:%%s'))+0 -> select unix_timestamp(str_to_date('Jun 13 2013 21:25:00 UTC', '%b %d %Y %H:%i:%s'))+0 rlm_sql (sql): Reserving sql socket id: 0 sql_xlat finished rlm_sql (sql): Released sql socket id: 0 expand: %{sql:select unix_timestamp(str_to_date('%{check:Expiration}', '%%b %%d %%Y %%H:%%i:%%s'))+0} -> 1371158700 expand: (%{expr: %{sql:select unix_timestamp(str_to_date('%{check:Expiration}', '%%b %%d %%Y %%H:%%i:%%s'))+0}}) -> (1371158700) (Right field is not a number at: (1371158700)) ++- entering else else {...} sql_xlat expand: %{User-Name} -> wrs sql_set_user escaped user --> 'wrs' expand: select unix_timestamp(str_to_date('%{check:Expiration}', '%%b %%d %%Y %%H:%%i:%%s')) -> select unix_timestamp(str_to_date('Jun 13 2013 21:25:00 UTC', '%b %d %Y %H:%i:%s')) rlm_sql (sql): Reserving sql socket id: 4 sql_xlat finished rlm_sql (sql): Released sql socket id: 4 expand: (%{sql:select unix_timestamp(str_to_date('%{check:Expiration}', '%%b %%d %%Y %%H:%%i:%%s'))}) -> (1371158700) expand: %{expr: (%{sql:select unix_timestamp(str_to_date('%{check:Expiration}', '%%b %%d %%Y %%H:%%i:%%s'))})} -> 1371158700 +++[reply] returns noop ++- else else returns noop
Bill Schoolfield wrote:
The above code fails with a message (below) that says "(Right field is not a number at: (1371158700))". I tried adding a zero to force a number interpretation but this does nothing.
That error is produced by the SQL database, not by FreeRADIUS. My guess is that the error is because the number is larger than 2^32. Alan DeKok.
Actually this particular issue was the parenthesis around the number. I had added them in the expression to make sure the math occurred before the logical comparison. Without them though, unlang's IF seems to evaluate the first expression (a subtraction) and ignores things afterwards. So the IF always evaluated to true. I've concluded that the use of IF with multiple expressions won't work. So I have move this logic to perl. Bill On 6/13/2013 6:55 PM, Alan DeKok wrote:
Bill Schoolfield wrote:
The above code fails with a message (below) that says "(Right field is not a number at: (1371158700))". I tried adding a zero to force a number interpretation but this does nothing.
That error is produced by the SQL database, not by FreeRADIUS.
My guess is that the error is because the number is larger than 2^32.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 14/06/13 13:29, Bill Schoolfield wrote:
Actually this particular issue was the parenthesis around the number. I had added them in the expression to make sure the math occurred before the logical comparison.
Without them though, unlang's IF seems to evaluate the first expression (a subtraction) and ignores things afterwards. So the IF always evaluated to true.
I'm not sure I understand this. But the current unlang parser can be a bit picky.
I've concluded that the use of IF with multiple expressions won't work. So I have move this logic to perl.
There are other options. Specifically I often think it's better to expand to intermediate variables, then do logic on them: update request { Tmp-Integer-0 := "%{expr: ...}" Tmp-Integer-1 := "%{expr: ...}" } if (Tmp-Integer-0 > Tmp-Integer-1) { ... }
Bill Schoolfield wrote:
Actually this particular issue was the parenthesis around the number. I had added them in the expression to make sure the math occurred before the logical comparison.
The "man unlang" documentation describes the syntax it expects. Adding a random paranthesis won't work.
Without them though, unlang's IF seems to evaluate the first expression (a subtraction) and ignores things afterwards.
The first expression is an expansion, via %{expr:...}. It *does* work.
So the IF always evaluated to true.
I've concluded that the use of IF with multiple expressions won't work.
Well, no. It does work. If you use git "master" branch, it produces much better error messages. They were added for precisely these reasons. Alan DeKok.
participants (3)
-
Alan DeKok -
Bill Schoolfield -
Phil Mayers