Hello, I'm translating a flat file configuration into a MySQL configuration, but I have some difficulties with huntgroups. An example of what I have in my flat file : 21 example@domain>⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅Cleartext-Password := "password" 22 >⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅Service-Type = Framed-User, 23 >⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅Framed-Protocol = PPP, 24 >⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅Tunnel-Type = L2TP, 25 >⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅Tunnel-Medium-Type = IP, 26 >⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅Tunnel-Assignment-ID = "RAN.DOM.I.P", 27 >⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅Tunnel-Server-Endpoint = "RAN.DOM.I.P", 28 >⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅Tunnel-Client-Auth-ID = "auth_id", 29 >⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅Tunnel-Password = "password_tunnel", 30 >⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅Fall-Through = Yes 31 32 example@domain>⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅Cleartext-Password := "password", Huntgroup-Name == "one_huntgroup_name" 33 >⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅Framed-IP-Address = STAT.IC.I.P So, if the request doesn't have the huntgroup set, only the first part is applied. Else, both are applied. In SQL, I'm going to create a group "example_users", with all the common data (line 22 to 30), an user "example@domain" who belongs to "example_users". I'm going to create an entry in radhuntgroup, with my "one_huntgroup_name" and the IP of my NAS. Now, I see one problem : how can I differenciate when a request has the user/pass/huntgroup and when it has only the user/pass ? I suppose that create 3 entries in readcheck won't work because it seems awkward. ( example@domain | Cleartext-Password | password | =: example@domain | Huntgroup-Name | one_huntgroup_name | == example@domain | Cleartext-Password | password | =: ) Does someone know a solution to this problem ? Thank you, Regards, Grégoire
gregoire.leroy@retenodus.net wrote:
Hello,
I'm translating a flat file configuration into a MySQL configuration, but I have some difficulties with huntgroups.
An example of what I have in my flat file :
21 example@domain>⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅Cleartext-Password := "password" 22 >⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅Service-Type = Framed-User,
Well, no. There's no need to add line numbers. There's no need to replace tabs with ">.......". You're confusing the issue. Just copy text from the "users" file (which is it's name) to the email message. Email can do text.
In SQL, I'm going to create a group "example_users", with all the common data (line 22 to 30), an user "example@domain" who belongs to "example_users". I'm going to create an entry in radhuntgroup, with my "one_huntgroup_name" and the IP of my NAS.
Then try that out in the "users" file. The rlm_sql documentation says that it mirrors the functionality of the "users" file. So... don't change two things at once. Create the config you want in the "users" file as one step. As the next step, move it to SQL. Pretty much verbatim.
Now, I see one problem : how can I differenciate when a request has the user/pass/huntgroup and when it has only the user/pass ? I suppose that create 3 entries in readcheck won't work because it seems awkward. ( example@domain | Cleartext-Password | password | =: example@domain | Huntgroup-Name | one_huntgroup_name | == example@domain | Cleartext-Password | password | =: )
Well, the first and second one are identical. So they're duplicates, and you only need one. But the second one checks for something different, so it's different. Alan DeKok.
Hello, Le 2013-04-20 15:23, Alan DeKok a écrit :
gregoire.leroy@retenodus.net wrote:
Hello,
I'm translating a flat file configuration into a MySQL configuration, but I have some difficulties with huntgroups.
An example of what I have in my flat file :
21 example@domain>⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅Cleartext-Password := "password" 22 >⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅>⋅⋅⋅⋅⋅⋅⋅Service-Type = Framed-User,
Well, no. There's no need to add line numbers. There's no need to replace tabs with ">.......".
You're confusing the issue. Just copy text from the "users" file (which is it's name) to the email message. Email can do text.
That's exactly what I did, it's how my editor shows it. I thought it would be more readable. I won't do it next time, thanks.
In SQL, I'm going to create a group "example_users", with all the common data (line 22 to 30), an user "example@domain" who belongs to "example_users". I'm going to create an entry in radhuntgroup, with my "one_huntgroup_name" and the IP of my NAS.
Then try that out in the "users" file. The rlm_sql documentation says that it mirrors the functionality of the "users" file.
So... don't change two things at once. Create the config you want in the "users" file as one step. As the next step, move it to SQL. Pretty much verbatim.
I don't understand : I already have huntgroups in my flat file. I didn't show the radhuntgroup file, but I thought that the fact I mention it in the users file would be sufficient.
Now, I see one problem : how can I differenciate when a request has the user/pass/huntgroup and when it has only the user/pass ? I suppose that create 3 entries in readcheck won't work because it seems awkward. ( example@domain | Cleartext-Password | password | =: example@domain | Huntgroup-Name | one_huntgroup_name | == example@domain | Cleartext-Password | password | =: )
Well, the first and second one are identical. So they're duplicates, and you only need one.
But the second one checks for something different, so it's different.
I am very sorry, but I don't understand your point. Maybe you meant the "first and the third one are identical" ? If so, yes I know. Maybe my question was unclear. First, I want to check is the user has the right password. If he has the right password, I want to give him a configuration and if he's in the "one_huntgroup_name" (i.e he's from a special NAS), I want to give him the Framed-IP-Address. That's the current behavior of my users file, and I want to translate it in SQL. Do you know how to do that ? Thanks for your help, Regards, Gregoire Leroy
gregoire.leroy@retenodus.net wrote:
First, I want to check is the user has the right password. If he has the right password, I want to give him a configuration and if he's in the "one_huntgroup_name" (i.e he's from a special NAS), I want to give him the Framed-IP-Address. That's the current behavior of my users file, and I want to translate it in SQL. Do you know how to do that ?
Yes. I said the rlm_sql documentation says that it mirrors the functionality of the "users" file. Read the documentation. To a very large extent, you can just take the "users" file entries, and map them directly to the SQL tables. Alan DeKok.
Hello, Le 2013-04-22 15:33, Alan DeKok a écrit :
gregoire.leroy@retenodus.net wrote:
First, I want to check is the user has the right password. If he has the right password, I want to give him a configuration and if he's in the "one_huntgroup_name" (i.e he's from a special NAS), I want to give him the Framed-IP-Address. That's the current behavior of my users file, and I want to translate it in SQL. Do you know how to do that ?
Yes. I said the rlm_sql documentation says that it mirrors the functionality of the "users" file.
Read the documentation.
I have actually read the documentation, and the wiki about SQL. Really. Otherwise, I wouldn't have sent the first email. I'm going to be more specific about what I don't understand. In my user files, I have two lines to check. First, "example@domain Cleartext-Password := "password", which gives a reply if the user is authenticated. Secondly, "example@domain Cleartext-Password := "password", Huntgroup-Name == "one_huntgroup_name"", which adds something in the reply if the user is authenticated AND from the right NAS. A litteral translation in database would be what I said before : In radcheck : example@domain | Cleartext-Password | password | =: example@domain | Huntgroup-Name | one_huntgroup_name | == example@domain | Cleartext-Password | password | =: But you told me (and I totally understand that) that wouldn't work. In the user files, it's simple : I can have a line with two things to check, and just put the reply under the check line. In database, I don't really have this order. It's really a mapping matter. Finally, in the users file, I do : IF condition1 ADD that IF condition1 AND condition2 ADD that It's the double condition1 which gives me problem to translate it. I hope my problem is more clear. If you want, when the project will be done, I'll add a page on the wiki so that you don't have to answer that again. Thank you for your help, Regards, Grégoire Leroy
gregoire.leroy@retenodus.net wrote:
I have actually read the documentation, and the wiki about SQL. Really. Otherwise, I wouldn't have sent the first email. I'm going to be more specific about what I don't understand.
OK. That's good.
In my user files, I have two lines to check.
First, "example@domain Cleartext-Password := "password", which gives a reply if the user is authenticated.
Not exactly... it *sets* the Cleartext-Password for the user. Authentication happens later.
Secondly, "example@domain Cleartext-Password := "password", Huntgroup-Name == "one_huntgroup_name"", which adds something in the reply if the user is authenticated AND from the right NAS.
No. See "man users". The ":=" operator *sets* the Cleartext-Password. It doesn't *check* it.
In the user files, it's simple : I can have a line with two things to check, and just put the reply under the check line. In database, I don't really have this order. It's really a mapping matter.
That's really the only difference between the two. Everything else maps directly.
Finally, in the users file, I do : IF condition1 ADD that IF condition1 AND condition2 ADD that
It's the double condition1 which gives me problem to translate it.
The "users" file entries don't do what you think. That's at least part of the problem. So... what do you want to do? You've been very clear that you want help with a particular *solution*. Because your assumptions are wrong, your solution is wrong. So I can't really help you with that. What do you have, and hat do you want? - you want the user to be authenticated - you want reply X for NAS X, and reply Y for NAS not X? - ??? Write it out in plain english. It should then be easy to figure out how to map it to the server configuration. Alan DeKok.
Hello,
So... what do you want to do? You've been very clear that you want help with a particular *solution*. Because your assumptions are wrong, your solution is wrong. So I can't really help you with that.
What do you have, and hat do you want?
- you want the user to be authenticated
- you want reply X for NAS X, and reply Y for NAS not X?
- ???
Write it out in plain english. It should then be easy to figure out how to map it to the server configuration.
I want the following behaviour : 1) Set the password for the user 2) Authentication of the user 3) X is always added to the reply if the user is authenticated 4) Moreover, Y is added to the reply for NAS, still if the user is authenticated. In my current configuration, with users files it works well. Now, if I understand correctly, authentication is not handled by the users/SQL module, so the only steps concerned here are 1,3 and 4. For 1, it seems obvious : radcheck : example@domain | Cleartext-Password | password | =: For 3, I juste have to add each attributes in radreply, no problem here. For 4, it's more complicated... First, radhuntgroup : 1 | one_huntgroup_name| IP_NAS | NULL | Now, documentation seems to say I have to add something in my authorize{} section, but the only mention of authorize in my current configuration is : authorize { ok # respond to the Status-Server request. Autz-Type Status-Server { ok } } Did I miss something ? Am I more clear ? Thanks for your help, Regards, Grégoire
gregoire.leroy@retenodus.net wrote:
I want the following behaviour :
1) Set the password for the user 2) Authentication of the user 3) X is always added to the reply if the user is authenticated 4) Moreover, Y is added to the reply for NAS, still if the user is authenticated.
That's pretty straightforward.
Now, if I understand correctly, authentication is not handled by the users/SQL module, so the only steps concerned here are 1,3 and 4.
Yes.
Now, documentation seems to say I have to add something in my authorize{} section, but the only mention of authorize in my current configuration is :
authorize { ok
# respond to the Status-Server request. Autz-Type Status-Server { ok } }
Did I miss something ? Am I more clear ?
Uh... someone *destroyed* your configuration. That's not right. Are you sure you're using the "users" file? The "files" module isn't listed above... so it looks like you're not using it. Alan DeKok.
Now, documentation seems to say I have to add something in my authorize{} section, but the only mention of authorize in my current configuration is :
authorize { ok
# respond to the Status-Server request. Autz-Type Status-Server { ok } }
Did I miss something ? Am I more clear ?
Uh... someone *destroyed* your configuration. That's not right.
Are you sure you're using the "users" file? The "files" module isn't listed above... so it looks like you're not using it.
My fault : I've open status instead of default. For the step 4, I have to : 1) Retrieve the huntgroup 2) Compare it with what the user sends 3) If it matches, give him his specific statement. So, if I understand correctly in the authorize section, I have to maintain a radipusers table for my IP/users and do something like : 1) update request { Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}" } 2) if Huntgroup-Name == 'one_huntgroup_name' { 3) Framed-IP-Address = "%{sql:SELECT ip FROM radipusers WHERE user='%{username}'}" } Is there something wrong in what I just said ? Thanks you, Regards, Grégoire Leroy
gregoire.leroy@retenodus.net wrote:
My fault : I've open status instead of default.
I have no idea what that means. All of my help is presuming that you're starting off with the default configuration. If you've butchered it, you're on your own.
For the step 4, I have to : 1) Retrieve the huntgroup 2) Compare it with what the user sends 3) If it matches, give him his specific statement.
So, if I understand correctly in the authorize section, I have to maintain a radipusers table for my IP/users and do something like :
1) update request { Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}" }
2) if Huntgroup-Name == 'one_huntgroup_name' { 3) Framed-IP-Address = "%{sql:SELECT ip FROM radipusers WHERE user='%{username}'}" }
Is there something wrong in what I just said ?
I'm really not sure. All I can say is try it, and see if it works. Alan DeKok.
For the step 4, I have to : 1) Retrieve the huntgroup 2) Compare it with what the user sends 3) If it matches, give him his specific statement.
So, if I understand correctly in the authorize section, I have to maintain a radipusers table for my IP/users and do something like :
1) update request { Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}" }
2) if Huntgroup-Name == 'one_huntgroup_name' { 3) Framed-IP-Address = "%{sql:SELECT ip FROM radipusers WHERE user='%{username}'}" }
Is there something wrong in what I just said ?
I'm really not sure.
All I can say is try it, and see if it works.
I tried it and it worked. However, it worked only because the specific statement was : "Framed-IP-Address = IP.ADD.RE.SS" (Remind : the wanted behaviour is I want the following behaviour : 1) Set the password for the user 2) Authentication of the user 3) X is always added to the reply if the user is authenticated 4) Moreover, Y is added to the reply for NAS, still if the user is authenticated.) What I would like instead of my dumb radipusers table (id | username | ip), is a table which looks like radreply (id | username | attribute | op | value) I could use with unlang. The thing I want to be added by radius in the reply : if (Huntgroup-Name == 'one_huntgroup_name') { Attribute1 op1 value1 Attribute2 op2 value2 ... Attributei opi valuei } Given that Attribute,op,value 1...i are in the MySQL table. Is it possible to get that by unlang / SQL ? I've read the unlang manpage, and I don't see any information which would enable me to do that. I've tried something without so much hope, and without success : "%{sql:SELECT attribute from radreply where username='%{request:User-Name}'}" = "%{sql:SELECT value from radreply where username='%{User-Name}'}" Thank you for your help, Regards, Grégoire Leroy
Hi,
The thing I want to be added by radius in the reply : if (Huntgroup-Name == 'one_huntgroup_name') { Attribute1 op1 value1 Attribute2 op2 value2 ... Attributei opi valuei } Given that Attribute,op,value 1...i are in the MySQL table.
if (Huntgroup-Name == 'one_huntgroup_name') { update reply { attribute1 := "%{sql:SELECT blah blah} attribute2 := "%{sql:SELECT blah blah} attribute3 := "%{sql:SELECT blah blah} attribute4 := "%{sql:SELECT blah blah} } }
alan
Hello,
if (Huntgroup-Name == 'one_huntgroup_name') { update reply { attribute1 := "%{sql:SELECT blah blah} attribute2 := "%{sql:SELECT blah blah} attribute3 := "%{sql:SELECT blah blah} attribute4 := "%{sql:SELECT blah blah} } }
The thing is, I don't know how many attributes I have. It could be 1, 4, 10 and not always the same. That's why I want to retrieve from the database the value, the op and the attribute. Thanks, Regards
Hi,
The thing is, I don't know how many attributes I have. It could be 1, 4, 10 and not always the same. That's why I want to retrieve from the database the value, the op and the attribute.
???? just use authorize_group_reply_query and the "groupreply_table = "radgroupreply"" part of sql.conf ? alan
Hi, Le Monday 29 April 2013 20:30:15, A.L.M.Buxey@lboro.ac.uk a écrit :
Hi,
The thing is, I don't know how many attributes I have. It could be 1, 4, 10 and not always the same. That's why I want to retrieve from the database the value, the op and the attribute.
???? just use authorize_group_reply_query and the "groupreply_table = "radgroupreply"" part of sql.conf ?
Maybe I was not clear enough above. What I want is : 1) Set the password for the user 2) Authentication of the user 3) X is always added to the reply if the user is authenticated 4) Moreover, Y is added to the reply for NAS, still if the user is authenticated I use radreply for X, the issue here is step 4. The how-to on the wiki about huntgroups and SQL recommends to use unlang in the authorize section. So, I update the request to assign the Huntgroup- Name attribute, and use unlang to add the Y configuration (user dependent) if the huntgroupname is "one_huntgroup_name". That's why I maintain a seperate table, for Y configuration, and I would like to be able to dynamically update my request with the attributes,op,values of the user. Is it possible ? If not, I could just put my X+Y configuration in radreply and using unlang, delete Y if the request is not from the right NAS. But I don't like add something to delete it after, if possible. Thank you for your help, Regards, Grégoire Leroy
On Tue, Apr 30, 2013 at 4:31 AM, Grégoire Leroy <gregoire.leroy@retenodus.net> wrote:
Maybe I was not clear enough above.
What I want is : 1) Set the password for the user 2) Authentication of the user 3) X is always added to the reply if the user is authenticated 4) Moreover, Y is added to the reply for NAS, still if the user is authenticated
I use radreply for X, the issue here is step 4. The how-to on the wiki about huntgroups and SQL recommends to use unlang in the authorize section. So, I update the request to assign the Huntgroup- Name attribute, and use unlang to add the Y configuration (user dependent) if the huntgroupname is "one_huntgroup_name".
That's not what the wiki said. Well, you can do that, but it doesn't say that you can ONLY do that. You can do other stuff as well. http://wiki.freeradius.org/guide/SQL-Huntgroup-HOWTO#More-examples It pretty much said that: - you need to add an entry to radgroupcheck, so that when Huntgroup-Name matches a value (site_a), an SQL group (site_a_admins) will be assigned - you add entries to radgroupreply to return whatever-attribute-value-pairs-you-want for site_a_admins group.
That's why I maintain a seperate table, for Y configuration, and I would like to be able to dynamically update my request with the attributes,op,values of the user.
Is it possible ?
Read the wiki. -- Fajar
Hello,
It pretty much said that: - you need to add an entry to radgroupcheck, so that when Huntgroup-Name matches a value (site_a), an SQL group (site_a_admins) will be assigned - you add entries to radgroupreply to return whatever-attribute-value-pairs-you-want for site_a_admins group.
I don't understand. The wiki and you seem to explain how to add the same configuration to the reply for all the users from a NAS. Indeed, with your example, all the users from site_a would have the same attributes from site_a_admins group. I want to add something which is user-dependent (like, for example, but not only, his IP address). To do that, with your example, I would be forced to create one group per user, and I really don't like that (it seems ugly). Thank you, Regards, Grégoire Leroy
On Tue, Apr 30, 2013 at 3:09 PM, <gregoire.leroy@retenodus.net> wrote:
Hello,
It pretty much said that: - you need to add an entry to radgroupcheck, so that when Huntgroup-Name matches a value (site_a), an SQL group (site_a_admins) will be assigned - you add entries to radgroupreply to return whatever-attribute-value-pairs-you-want for site_a_admins group.
I don't understand. The wiki and you seem to explain how to add the same configuration to the reply for all the users from a NAS. Indeed, with your example, all the users from site_a would have the same attributes from site_a_admins group. I want to add something which is user-dependent (like, for example, but not only, his IP address). To do that, with your example, I would be forced to create one group per user, and I really don't like that (it seems ugly).
Wow. So per user, AND per NAS? AFAIK it would pretty much be as ugly in SQL as it would be in users file. And you also need to modify the SELECT query to include User-Name instead of just NAS-IP-Address. Yes, you'd need to create one group per user-NAS combination, but you'd also need a spearate entry in users file for the same thing if you use files instead of sql. So IMHO it's roughly the same. -- Fajar
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Fajar A. Nugraha -
gregoire.leroy@retenodus.net -
Grégoire Leroy