rlm_sql: can I avoid queries on radcheck?
Hi, we're using rlm_sql to perform authorization based on a couple of sql tables ('eduroam_diritto_uso' and 'eduroam_mac_registrati') , it's working fine. Now mysql logs show that radiusd is still performing queries on radcheck, radgroupcheck. Can I avoid this (since these tables are empty so we're not using them)? I know this is nothing vital, but if it's easy done... I've managed to avoid queries on radgroupcheck commenting out the "group_membership_query" in dalup.conf. I thought that I could now comment out the "authorize_check_query" to avoid queries radchek, but no, I get an error: [sql] expand: -> [sql] Error generating query; rejecting user Thanks a lot in advance, Stefano authorize { preprocess rewrite.calling_station_id sql if ("%{sql:SELECT count(*) FROM eduroam_mac_registrati AS m, eduroam_diritto_uso AS d WHERE m.username = d.username AND m.mac='%{Calling-Station-Id}' and d.diritto='S'}" == 1){ ok update control { Auth-Type := Accept } } else { reject } auth_log eap openldap mschap }
On 12/10/12 12:15, Stefano Zanmarchi wrote:
Hi, we're using rlm_sql to perform authorization based on a couple of sql tables ('eduroam_diritto_uso' and 'eduroam_mac_registrati') , it's working fine. Now mysql logs show that radiusd is still performing queries on radcheck, radgroupcheck. Can I avoid this (since these tables are empty so we're not using them)?
If you don't want to run the "sql" queries, just remove the "sql" module from the "authorize" section.
I know this is nothing vital, but if it's easy done... I've managed to avoid queries on radgroupcheck commenting out the "group_membership_query" in dalup.conf. I thought that I could now comment out the "authorize_check_query" to avoid queries radchek, but no, I get an error: [sql] expand: -> [sql] Error generating query; rejecting user
Thanks a lot in advance, Stefano
authorize { preprocess rewrite.calling_station_id sql
Just remove the line above. You might need to add "sql" to the "instantiate { }" section, to ensure the module is loaded and available for the XLAT you use below.
if ("%{sql:SELECT count(*) FROM eduroam_mac_registrati AS m, eduroam_diritto_uso AS d WHERE m.username = d.username AND m.mac='%{Calling-Station-Id}' and d.diritto='S'}" == 1){ ok update control { Auth-Type := Accept } } else { reject }
auth_log eap openldap mschap } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exactly what I needed. Just one more thing. Why does the mysql log show that the query performed with XLAT is now performed 3 times in a row per access request? Thank you, Stefano [output from mysql:] 121012 14:20:39 394 Query SELECT count(*) FROM eduroam_mac_registrati AS m, eduroam_diritto_uso AS d WHERE m.username = d.username AND m.mac='98-4b-4a-f5-bf-41' and d.diritto='S' 393 Query SELECT count(*) FROM eduroam_mac_registrati AS m, eduroam_diritto_uso AS d WHERE m.username = d.username AND m.mac='98-4b-4a-f5-bf-41' and d.diritto='S' 392 Query SELECT count(*) FROM eduroam_mac_registrati AS m, eduroam_diritto_uso AS d WHERE m.username = d.username AND m.mac='98-4b-4a-f5-bf-41' and d.diritto='S'
On 12 Oct 2012, at 13:23, Stefano Zanmarchi <zanmarchi@gmail.com> wrote:
Exactly what I needed. Just one more thing. Why does the mysql log show that the query performed with XLAT is now performed 3 times in a row per access request? Thank you, Stefano
[output from mysql:] 121012 14:20:39 394 Query SELECT count(*) FROM eduroam_mac_registrati AS m, eduroam_diritto_uso AS d WHERE m.username = d.username AND m.mac='98-4b-4a-f5-bf-41' and d.diritto='S' 393 Query SELECT count(*) FROM eduroam_mac_registrati AS m, eduroam_diritto_uso AS d WHERE m.username = d.username AND m.mac='98-4b-4a-f5-bf-41' and d.diritto='S' 392 Query SELECT count(*) FROM eduroam_mac_registrati AS m, eduroam_diritto_uso AS d WHERE m.username = d.username AND m.mac='98-4b-4a-f5-bf-41' and d.diritto='S'
Sent pull request to fixup that code a bit. The authorize query will now just go ahead and run the reply query and the rest of the queries if authorize_check_query is null. There are still some advantages to using the proper reply table and the sql module (adding multiple reply attributes for example). -Arran
participants (3)
-
Arran Cudbard-Bell -
Phil Mayers -
Stefano Zanmarchi