Problem with NULL realm..
Mark J Elkins
mje at posix.co.za
Mon Jul 9 16:01:20 CEST 2007
Phil Mayers wrote:
>> ... Username='%{Stripped-User-Name}' AND realm='%{Realm:-pop.co.za}' AND
>> ....
>>
>> ie - if the REALM is missing - it should default to 'pop.co.za'...
>>
>> Anyway - still getting incorrect logins....
>>
>> A radiusd -X shows me that .."WHERE Username='mje' AND realm='NULL'
>> AND"...
>>
>
> That's how it works. You'll need to refactor your SQL query e.g.
>
>
grumble.... if people wanted the string 'NULL' - they should use
"%{Realm:-NULL}"
(user hides below the keyboard :-)
> select foo from bar where Username='%{Stripped-User-Name}' and realm=(
> case
> when '%{Realm}'='NULL' then 'pop.co.za'
> else '%{Realm}'
> end)
>
> The other and slightly easier alternative is to set "ignore_null = yes"
> on your realm module so that users without a realm won't match the
> module, and then use:
>
> select foo from bar where
> Username='%{Stripped-User-Name:-%{User-Name}}'
> and
> realm='${Realm:-pop.co.za}'
>
>
Being lazy - I'm starting here. (Also - less impact on existing users)
Changed 'ignore_null' to yes..
Smiled - and tried to dial-in
rad_recv: Access-Request packet from host 160.124.0.97:1645, id=81,
length=106
NAS-IP-Address = 160.124.0.97
NAS-Port = 70
Cisco-NAS-Port = "Async70"
NAS-Port-Type = Async
User-Name = "mje"
Called-Station-Id = "0800"
User-Password = "verysecret"
Service-Type = Framed-User
Framed-Protocol = PPP
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "mje", skipping NULL due to config.
*** Line above suggests the 'ignore_null' worked ***
modcall[authorize]: module "suffix" returns noop for request 7
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 7
radius_xlat: 'mje'
rlm_sql (sql): sql_set_user escaped user --> 'mje'
radius_xlat: 'SELECT userid as id,UserName,'Password' as
Attribute,password as Value,'==' as op FROM useracct WHERE Username=''
AND realm='pop.co.za' AND .....
Something stole my username ???
I'm not too sure of the logic here.
I've left the NULL realm in "proxy.conf" uncommented - so its 'live'.
It seems that the 'NULL' realm matched... then skipped (?) - so I got a
null username and a null realm (all the other info got through!)
Looks like the SQL logic works though...
I just hate complicating the SQL queries even more than I already have!
I guess FreeRadius 2.xx will make things easier?
>
>> ie - If there is no realm - its set to the string of four characters
>> 'NULL' rather than the string '\0' ..
>> not what I was hoping for...
>>
>> If the realm is missing - it can only refer to a user in the 'pop.co.za'
>> realm - and no other.
>>
>> Suggestions?
>>
>> ie - the equivalent of ... if( ${Realm} == "NULL") Realm="pop.co.za"
>> ..put somewhere.
>>
>>
>> ps. It would be very useful if one could run radiusd in '-X' mode based
>> on some criteria - such as the Realm or the Nas,
>> especially on a busy server - just for matching packets.
>>
>> (in proxy.conf .. syntax of
>> realm myrealm.com {
>> type = radius
>> authhost = LOCAL
>> accthost = LOCAL
>> debug = yes
>> }
>>
>> or in clients.conf
>> client access.pop.co.za {
>> secret = very
>> shortname = access
>> nastype = cisco
>> debug = yes
>> }
>> )
>>
>>
>>
>>
>>
>>
>>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
. . ___. .__ Posix Systems - Sth Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, SCO ACE, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
More information about the Freeradius-Users
mailing list