Adding a NAS via SQL

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Sun Jul 29 19:13:34 CEST 2007 

Hugh Messenger wrote:
> A.L.M.Buxey at lboro.ac.uk said:
>   
>> how about updating the NAS list from SQL via, for example, an SNMP write
>> command
>> or a special RADIUS command packet. both of these could have security
>> protection
>> to prevent DoS (eg the SNMP write from only certain locations (firewalled)
>> and
>> has password too of course... the RADIUS command packet could have a
>> shared
>> secret requirement and/or use the FR unlang/attribute protections for
>> access/accept
>>     
I agree with Alan B, SNMP write is the way to go with this. It's a nice 
standard mechanism which can be triggered by almost anything.
Generally in most implementations of an SQL based NAS list, some script 
somewhere is going to be adding rows to the SQL table, and adding a few 
extra lines into that script to poke the server isn't going to be very 
hard in any high level interpreted language.
>
> I'd settle for having it reload on a configurable amount of time ...
>
> 	# time between NAS table reloads if using SQL
> 	# default is 1 hour
> 	# set to 0 to disable NAS table reloading
> 	nas_table_reload_time = 1h
>
> So each request FR handles would start with this pseudo-code ...
>
> if (nas_table_reload_time AND (last_nas_table_read < (NOW -
> nas_table_reload_time))
> {
> 	reload_nas_table();
> 	last_nas_table_read = NOW;
> }
>
> IMHO this would be a good compromise.  Easy to implement (for someone like
> Alan!), very low impact on the server (with the default setting), and allows
> the admin to set the reload time that suits their site.  I'd set mine to
> 24h, as I hardly ever change my NAS setup, but some folk might need 15m if
> they have high NAS turnover.
>
>   
I can't help but think there might be something more complicated to 
this, else it would have been done already.
The mechanism by which a reloading of SQL clients is triggered could be 
quite arbitrary, but changing memory structures whilst processing a 
packet could cause some nasty issues...
But i'm not a C programmer, and Alan Is.

Alan if you could explain the technical reason behind the difficulty in 
adding this feature, users might be in a better posistion to offer 
suggestions / patches.

What does HUP actually do to a process in the Unix world ? Just send it 
a nice sempahore saying "you've been hupped now do stuff" to the 
process, or something more drastic ?
>> alan
>>     
>
>    -- hugh
>
>   
Arran (Still in the land of fine wine and Pizza, and has learned to love 
Dial-Up again)

More information about the Freeradius-Users mailing list