Some notes on recent changes

Alexander M. Pravking fduch at antar.bryansk.ru
Wed Aug 3 04:48:34 CEST 2005


First of all, I'd like to thank development team for great work done (I
didn't keep trace of FreeRADIUS for some time). So I have some bug
report (submitted to bugzilla) and some notes, hopefully useful for the
project.


The minimum-timeout of the rlm_logintime module is more likely to be a
global post-authorization configuration option, i.e. if it's set, always
check that Session-Timeout in reply of Access-Accept (if exists) is
greater than specified, else reject the user.


In doc/ChangeLog, virtual modules are mentioned, with a reference to
"modules" section of radiusd.conf. However, a note on them is in
"instantiate" section.


For rlm_exec, it could be useful to set environment variables for script
return codes, like
	char codestr[3];
	snprintf(codestr, 3, "%d", RLM_MODULE_OK);
	setenv("RLM_MODULE_OK", codestr, 1);
	...
This may be done either after fork, or at module initialization, for the
radiusd process itself.


One may want to distinct zapped sessions from normally stopped ones.
It's not good to extend standard RADIUS attributes, but how about to
define a new value Acct-Terminate-Cause = Stale-Session and add it to
the fake stop request?

As an alternative, it might be a good idea to add an accounting_zap
"method" for modules...


In postgresql.conf, there are commented out authorize_check_query and
authorize_reply_query noted as "for case sensitive usernames". First,
that's wrong, they are for case-INsensitive searches. Second, for
PostgreSQL it's more efficient to use
	lower(UserName) = lower('%{SQL-User-Name}')
One using these queries might then want to build appropriate indices:
CREATE INDEX radcheck_lower_username_idx ON radcheck (lower(UserName));
CREATE INDEX radreply_lower_username_idx ON radreply (lower(UserName));
The same for authorize_group_{check,reply}_query.

I'd also recommend to replace most of VARCHAR(N) columns with TEXT in
PostgreSQL database schema unless there's a real necessity to restrict
their length at database level.

Finally, TIMESTAMP WITH TIME ZONE may be written as TIMESTAMPTZ, which
is much shorter ;) And there's no need to cast now() to timestamptz in
queries - that's what it already is.


-- 
Fduch M. Pravking



More information about the Freeradius-Devel mailing list