Hi I am running FreeRADIUS v2.1.6. Problem is found when SQL works in 'users'. sql.conf: sql sql_auth { Some auth-queries... } sql sql_acct { Some acct-queries... } radiusd.conf: authorize { files sql_auth } users: DEFAULT SQL-Group == 'Group1' ... But files chooses sql_acct (alphabetic first) as sql entry. How to choose sql_auth?
users: DEFAULT SQL-Group == 'Group1' ...
But files chooses sql_acct (alphabetic first) as sql entry. How to choose sql_auth?
http://wiki.freeradius.org/Rlm_ldap#Group_Support Same applies to sql groups. Ivan Kalik Kalik Informatika ISP
Hi. I tried to use sql_auth-SQL-Group like ldap example (DEFAULT sql_auth-SQL-Group == "Group1"), but FR-server failed with error 'users[1]: Parse error (check) for entry DEFAULT: Invalid octet string "Group1" for attribute name "sql_auth-SQL-Group"'. This error says that attribute is not defined into dictionary. I had got success when 'sql_auth' was defined as last entry into instantiate { }. But I think that this solution is unsecure and wrong. On Fri, Aug 21, 2009 at 07:14:32PM +0100, Ivan Kalik wrote:
users: DEFAULT SQL-Group == 'Group1' ...
But files chooses sql_acct (alphabetic first) as sql entry. How to choose sql_auth?
http://wiki.freeradius.org/Rlm_ldap#Group_Support
Same applies to sql groups.
On Fri, Aug 21, 2009 at 07:14:32PM +0100, Ivan Kalik wrote:
users: DEFAULT SQL-Group == 'Group1' ...
But files chooses sql_acct (alphabetic first) as sql entry. How to choose sql_auth?
http://wiki.freeradius.org/Rlm_ldap#Group_Support
Same applies to sql groups.
Ivan Kalik Kalik Informatika ISP
On Mon, Aug 24, 2009 at 01:45:11PM +0200, Alan DeKok wrote:
George Koulyabin wrote:
I had got success when 'sql_auth' was defined as last entry into instantiate { }. But I think that this solution is unsecure and wrong.
Why is that?
For example, I added new sql-module into sql.conf and forgot to fix order of loading of sql-modules into instantiate { }. I tried to do it. The 'users' used last sql-module of sql.conf. Variable 'sqlmod-inst' is used by 'sqlcounter'-module, but why isn't such variable used into 'files'-module?
Alan DeKok.
George Koulyabin wrote:
On Mon, Aug 24, 2009 at 01:45:11PM +0200, Alan DeKok wrote:
George Koulyabin wrote:
I had got success when 'sql_auth' was defined as last entry into instantiate { }. But I think that this solution is unsecure and wrong. Why is that?
For example, I added new sql-module into sql.conf and forgot to fix order of loading of sql-modules into instantiate { }. I tried to do it. The 'users' used last sql-module of sql.conf. Variable 'sqlmod-inst' is used by 'sqlcounter'-module, but why isn't such variable used into 'files'-module?
(a) That doesn't make it "unsecure". (b) you may have MULTIPLE sql modules, and may be doing MULTIPLE sql group comparisons in the "files" module. Adding one "sqlmod-inst" to the "files" module won't help you try to use MULTIPLE sql modules. Alan DeKok.
Hi. On Mon, Aug 24, 2009 at 02:59:27PM +0200, Alan DeKok wrote:
George Koulyabin wrote:
On Mon, Aug 24, 2009 at 01:45:11PM +0200, Alan DeKok wrote:
George Koulyabin wrote:
I had got success when 'sql_auth' was defined as last entry into instantiate { }. But I think that this solution is unsecure and wrong. Why is that?
For example, I added new sql-module into sql.conf and forgot to fix order of loading of sql-modules into instantiate { }. I tried to do it. The 'users' used last sql-module of sql.conf. Variable 'sqlmod-inst' is used by 'sqlcounter'-module, but why isn't such variable used into 'files'-module?
(a) That doesn't make it "unsecure".
Your words are true. I can't say that rejecting of authorization is unsecure.
(b) you may have MULTIPLE sql modules, and may be doing MULTIPLE sql group comparisons in the "files" module. Adding one "sqlmod-inst" to the "files" module won't help you try to use MULTIPLE sql modules.
Supposing it were available to use MULTIPLE files modules and unlang, I could use different 'users'-files. In addition, I can use a few virtual servers.
On Mon, Aug 24, 2009 at 01:45:11PM +0200, Alan DeKok wrote:
George Koulyabin wrote:
I had got success when 'sql_auth' was defined as last entry into instantiate { }. But I think that this solution is unsecure and wrong.
Why is that?
For example, I added new sql-module into sql.conf and forgot to fix order of loading of sql-modules into instantiate { }.
So you think freeradius is faulty and unsecure because it didn't work the way you wanted when you didn't configure it properly?
Variable 'sqlmod-inst' is used by 'sqlcounter'-module, but why isn't such variable used into 'files'-module?
sqlcounter will instatiate sql instance it needs before it is instantiated. Files module will not instatiate all possible sql, ldap, counter and whatever instances that might field attributes in it. You will have to add them to instatiate if they are not loaded *before* files module on server startup. If you list those instances before files in authorize they should also be instantiated before files on startup. Ivan Kalik Kalik Informatika ISP
I tried to use sql_auth-SQL-Group like ldap example (DEFAULT sql_auth-SQL-Group == "Group1"), but FR-server failed with error 'users[1]: Parse error (check) for entry DEFAULT: Invalid octet string "Group1" for attribute name "sql_auth-SQL-Group"'. This error says that attribute is not defined into dictionary. I had got success when 'sql_auth' was defined as last entry into instantiate { }.
Yes, you do need to list them in instatiate if files are instatiated first in startup sequence. But you can change the order the modules are listed.
But I think that this solution is unsecure and wrong.
Why? Ivan Kalik Kalik Informatika ISP
participants (4)
-
Alan DeKok -
George -
George Koulyabin -
Ivan Kalik