sql module and radgroup...

Alan DeKok aland at deployingradius.com
Thu Jul 8 16:16:54 CEST 2010

predrag balorda wrote:
> Would it be so difficult to add a "groupinfo" table? Just like you
> have /etc/passwords you have /etc/groups so should you have userinfo
> and radgroup or groupinfo or somesuch.
> Namely, there is an awful kludge in radgroupreply in that if a a reply
> with a group name exists then the group exists, otherwise it doesn't.

  ? The reply is allowed to be empty.  If it is empty, it has no effect
on group membership.

> Now that's funny, it's the same thing as saying if there is an entry
> in radcheck then the user exists, otherwise they don't. Which is
> silly. Not only in my opinion but in the the opinion of all database
> people out there. Referential integrity is non-existent. So is
> entity-integrity.

  I have no idea what that means.

> A simple statement like this in your sql scripts would suffice (mysql
> exaple here)
> DROP TABLE IF EXISTS `groupinfo`;
> CREATE TABLE `groupinfo` (
>   `id` bigint(20) NOT NULL auto_increment,
>   `groupname` varchar(200) default NULL,
>   PRIMARY KEY  (`id`),
>   KEY name (`groupname`)
> );
> Then you can draw all sorts of relations back to this table from
> radgroupcheck, radgroupreply, usergroup etc.

  Sure.  That's useful, but not required.

  I've seen 7 figure commercial solutions with *less* referential
integrity than the default FreeRADIUS schema.

> Try and create a radgroupreply for group "Normal", say a bandwidth
> limitation of some sort. Then add another limitation but this time
> make an intentional typo and put in "nOrmal" in groupname instead.
> What happens? If you had referential integrity the database wouldn't
> let you make such mistaks. Just like this silly gmail webmail won't
> let me make mistakes and underlines them with a red squiggly line.

  You can supply a patch to the SQL schema && statements to add this
capability.  The software *is* open source.

> I'm saying all this because I'm writing a freeradius frontend (there,
> that stupid red squiggly line again) - I'll probably call it
> dialUpAdmin# as I'm using NHibernate, mono, asp.net2 and it's going
> nice; I'll try and submit the initial version to the cvs (or is it
> svn) repository sometime next week


> - and silliness like this pops up
> everywhere. Some simple referential and entity integrity never hurt no
> one.

  Sure.  But it's one more requirement before people get the server up
and running.

> I'm probably talking crap here as I'll be switching to LDAP soon
> enough for all this to go away, but still. It'd be nice.

  As always, patches are welcome.

  Alan DeKok.

More information about the Freeradius-Devel mailing list