group sensitive per user return attributes with rlm_sql

Hugh Messenger hugh at alaweb.com
Mon Jul 2 04:25:39 CEST 2007


[I just noticed I forgot to set Plain Text on my original post.  Re-posting
in plain text.  Mea Maxima Culpa, won't happen again]

I'm trying to work out (in 2.0.0) how to achieve "matching group specific
per user reply attributes" using rlm_sql, based on which group(s) matched
the authentication request.

So, for instance, a user might belong to both DIALUP and WIRELESS groups.
But I only want the per-user reply attributes relevant to the access request
being processed, for instance Mikrotik-Rate-Limit only gets set if the
request matched WIRELESS (via a huntgroup match).

As far as I can tell, this would require some surgery to rlm_sql, and an
additional (optional) CheckGroup column in the 'radreply' table:

UserName,Attribute,op,Value,CheckGroup
radiustest,Mikrotik-Rate-Limit,=,512k/512k,WIRELESS
radiustest,Some-Dialup-Attribute,=,foo,DIALUP
radiustest,Some-Common-Attribute,=,bar,

So the authorize_reply_query could then be something like:

        authorize_reply_query = "\
SELECT id, UserName, Attribute, Value, op \
FROM ${authreply_table} \
WHERE Username = '%{SQL-User-Name}' \
AND (CheckGroup = '' OR CheckGroup IN(%{control:Matched-Groups})) 
ORDER BY id"

Then if the request came from a NAS which has a matching check attribute for
the WIRELESS group, only 'radreply' items with CheckGroup of WIRELESS (and
those with no CheckGroup) would be returned.  So in this case,
Mikrotik-Rate-Limit and Some-Common-Attribute.

Obviously the surgery to rlm_sql would be in building
%{control:Matched-Groups}, which would mean shuffling some code around, as
currently the groups aren't looked at till after the per-user reply
attributes are processed.

Or is there some other way of doing this I'm spacing on?

   -- hugh





More information about the Freeradius-Devel mailing list