Login-Time and Session-Time Conflict
We are using both Login-Time and Session-Time attributes with a rlm_sql configuration and the Login-Time attribute is always overriding the Session-Time. Meaning that if the Session-Time attribute value is less than the timeSpan difference of the Login-Time, the Login-Time timespan difference is still returned as the Session-Time value. I remember reading somewhere that in cases of both attributes being used, the most restrictive should be returned, however this is not happening. Can someone confirm what the real implementation is? We are running freeradius 1.1.1 on a Gentoo linux platform. BTW -- If this is the desired functionality does anyone know a way to get our desired functionality of the smallest Session-Time being used instead of Login-Time? Thank you, Adam
"Adam Tybor" <adam.tybor@gmail.com> wrote:
I remember reading somewhere that in cases of both attributes being used, the most restrictive should be returned, however this is not happening. Can someone confirm what the real implementation is? We are running freeradius 1.1.1 on a Gentoo linux platform.
If you set Session-Time *before* Login-Time, the Login-Time code does the right thing. If you set Session-Time *after* Login-Time, then you have to check the values manually. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan, I tried that prior and I just confirmed it. I have the following two rows in my radcheck table and I made sure the natural sort, without the id, that Session-Timeout comes before Login-Time and I still always get the Login-Time timespan diff as my Session-Timeout value. Interestingly enough when I debug on the server I see no debug output for rlm_logintime module. Was this module not included in 1.1.1because when I look at the cvs source code I see where the check is made and see tons of DEBUG statements that are not showing up on my console. Below is an example from my database and test. radcheck id user attrib op value 3 freeunlimited Session-Timeout := 120 4 freeunlimited Login-Time := Thu-2030-2130,Fri-1300-1600 radtest response: Access-Accept ------- attrib dump------ Session-Timeout=9060 Adam On 9/29/06, Alan DeKok <aland@deployingradius.com> wrote:
"Adam Tybor" <adam.tybor@gmail.com> wrote:
I remember reading somewhere that in cases of both attributes being used, the most restrictive should be returned, however this is not happening. Can someone confirm what the real implementation is? We are running freeradius 1.1.1 on a Gentoo linux platform.
If you set Session-Time *before* Login-Time, the Login-Time code does the right thing. If you set Session-Time *after* Login-Time, then you have to check the values manually.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Adam Tybor" <adam.tybor@gmail.com> wrote:
I have the following two rows in my radcheck table and I made sure the natural sort, without the id, that Session-Timeout comes before Login-Time
OK... looking at src/main/auth.c, the Login-Time update of Session-Timeout is done just before the Access-Accept is returned, so that should be working.
Interestingly enough when I debug on the server I see no debug output for rlm_logintime module. Was this module not included in 1.1.1because when I look at the cvs source code I see where the check is made and see tons of DEBUG statements that are not showing up on my console.
The module is not in 1.1.1. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Adam Tybor -
Alan DeKok