Problem translating users file to Postgre DB

Andrew Teixeira ateixeira at gmail.com
Thu Jan 19 20:38:52 CET 2006 

Hello,
  I tried to port my users file to PostgreSQL today, but I am having a
great deal of confusing trouble trying to get it to work.  I am using
the postgresql.conf file that came with Freeradius 1.1.0 and am having
no trouble getting Freeradius to connect to Postgre.  My problem comes
when trying to authenticate to my firewall.  First, I will explain the
working "files-only" configuration:

:::::::::::::::::
huntgroups
:::::::::::::::::
switches     NAS-IP-Address == 10.20.10.x
switches     NAS-IP-Address == 10.20.10.x
switches     NAS-IP-Address == 10.20.10.x
switches     NAS-IP-Address == 127.0.0.1
firewall     NAS-IP-Address == 10.20.10.x
firewall     NAS-IP-Address == 10.20.10.x

:::::::::
users
:::::::::
DEFAULT Auth-Type = System
               Fall-Through = 1

admin      Auth-Type := Kerberos, Huntgroup-Name == "switches"
               Service-Type == "Administrative-User"

admin      Auth-Type := Kerberos, Huntgroup-Name == "firewall"
               NS-Admin-Privilege = "All-VSYS-Root-Admin"

When I do this with files only, it works great.  I then tried to get
the database setup to work.  I left the huntgroups file alone and
commented out the 2 'admin' entries in users.  Now, this is my setup
in the database that is not working:

::::::::::::::::::::::
radgroupcheck
::::::::::::::::::::::
 id |  groupname  |   attribute    | op |    value
----+-------------+----------------+----+-------------
  1 | switches | Huntgroup-Name | == | switches
  2 | firewall | Huntgroup-Name | == | firewall
  5 | firewall | Auth-Type      | := | Kerberos
  6 | switches | Auth-Type      | := | Kerberos

:::::::::::::::::::::
radgroupreply
:::::::::::::::::::::
 id |  groupname  |     attribute      | op |        value
----+-------------+--------------------+----+---------------------
  2 | firewall | NS-Admin-Privilege | =  | All-VSYS-Root-Admin
  1 | switches | Service-Type       | =  | Administrative-User

:::::::::::::::
usergroup
:::::::::::::::
 id | username |  groupname
----+----------+-------------
  1 | admin | switches
  2 | admin | firewall

In this setup, I can authenticate with 'admin' using my Kerberos
password for the 'switches' huntgroup, but I cannot authenticate to
'firewall'.  Also, when I do radtest for an IP in the switches
huntgroup, I get a reply of both 'Service-Type' and
'NS-Admin-Privilege', when I assumed that this would give me one or
the other since they are in different groups.  When running radiusd
with the '-X' flag and trying to authenticate to firewall, I get the
error:

rlm_sql (sql): No matching entry in the database for request from user [admin]

This shouldn't be the case since the user 'admin' is part of both
groups.  I am at a loss at this point what could be the problem.  If
anyone has any insight, I would greatly appreciate it.  Thanks in
advance.

More information about the Freeradius-Users mailing list