Reject user from SQL-DB

JB list.freeradius at mac.com
Fri Feb 8 14:00:20 CET 2008


Phil Mayers (08.02.2008 12:03):
>> Ok, now I'm returning Auth-Type := Reject from my check-items-query  
>> and I hoped to be able to send a little more in depth information  
>> along the way in the Reply-Message attribute, but unfortunately  
>> this info gets lost. It seems that I have to fill this attribute in  
>> the reply-items-query.
>> Does this mean the reply-items-query has to trigger the same  
>> functions as the check-items-query again to find out what the  
>> reason for the reject was? Or do I have to fill a temporary table  
>> with the reply message in the check-items-query which gets then  
>> returned in the reply-items-query?
>
> Hmm. I guess you're doing something like:
>
> authorize_check_query = "select myproc('%{SQL-User- 
> Name}','...etc...')"
>
> ...and are trying to avoid re-calling the same (or another) function  
> in the reply query.

That's the problem.
How will the reply query be aware that the user has already be  
rejected without using additional queries?
I tried calling the check query with %{control:My-Reply} or % 
{control:Auth-Type} as attributes but those are empty though set in  
the check query.


> What you could do is place a local attribute in the check items,  
> then copy it to the reply items in an unlang section:
>
> i.e. return 2 rows from the stored proc:
>
>   attr    | op |    value
> -----------+----+--------------
> My-Reply  | := | some message
> Auth-Type | := | Reject
>
> in /etc/raddb/dictionary:
>
> ATTRIBUTE My-Reply 3000 string
>
> and have:
>
> authorize {
>  sql
> }
> post-auth {
>  Post-Auth-Type Reject {
>    if (control:My-Reply) {
>      update reply {
>        Reply-Message = "%{control:My-Reply}"
>      }
>    }
>  }
> }
>

Thanks Phil, that was it! Now I'm getting the right Reply-Message.

Actually,
if (control:My-Reply)
must be
if ("%{control:My-Reply}")
to check if it's empty.

JB




More information about the Freeradius-Users mailing list