group sensitive per user return attributes with rlm_sql

[Hugh Messenger]

I'm trying to work out (in 2.0.0) how to achieve "matching group specific
per user reply attributes" using rlm_sql, based on which group(s) matched
the authentication request.

 

So, for instance, a user might belong to both DIALUP and WIRELESS groups.
But I only want the per-user reply attributes relevant to the access request
being processed, for instance Mikrotik-Rate-Limit only gets set if the
request matched WIRELESS (via a huntgroup match).

 

As far as I can tell, this would require some surgery to rlm_sql, and an
additional (optional) CheckGroup column in the 'radreply' table:

 

UserName,Attribute,op,Value,CheckGroup

radiustest,Mikrotik-Rate-Limit,=,512k/512k,WIRELESS

radiustest,Some-Dialup-Attribute,=,foo,DIALUP

radiustest,Some-Common-Attribute,=,bar,

 

So the authorize_reply_query could then be something like:

 

        authorize_reply_query = "\

SELECT id, UserName, Attribute, Value, op \

FROM ${authreply_table} \

WHERE Username = '%{SQL-User-Name}' \

AND (CheckGroup = '' OR CheckGroup IN(%{control:Matched-Groups})) 

ORDER BY id"

 

Then if the request came from a NAS which has a matching check attribute for
the WIRELESS group, only 'radreply' items with CheckGroup of WIRELESS (and
those with no CheckGroup) would be returned.  So in this case,
Mikrotik-Rate-Limit and Some-Common-Attribute.

 

Obviously the surgery to rlm_sql would be in building
%{control:Matched-Groups}, which would mean shuffling some code around, as
currently the groups aren't looked at till after the per-user reply
attributes are processed.

 

Or is there some other way of doing this I'm spacing on?

 

   -- hugh

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20070701/95bbda5a/attachment.html>