authorization: unlang/NAS-IP-Address

leopold vova_b at yahoo.com
Wed Jul 23 18:20:20 CEST 2008 

Ivan,
Even with default SQL query it returns OK, because user is defined properly,
it is just check attributes of group do not match

I went to the code and I saw that rlm_sql_process_groups function causes the
whole module to return OK even though NAS-IP-Address attribute does not
match
Note it does not return attributes, it just return OK

/*
			 *	rows == 0.  This is like having the username on a line
			 * 	in the user's file with no check vp's.  As such, we treat
			 *	it as found and add the reply attributes, so that we
			 *	match expected behavior
			 */
			found = 1;
			DEBUG2("rlm_sql (%s): User found in group %s",
				inst->config->xlat_name, group_list_tmp->groupname);
			

        User-Name = "validuser"
        User-Password = "validpasswd"
        NAS-IP-Address = y.y.y.1


rlm_sql (sql): Reserving sql socket id: 6
        expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM radcheck          
WHERE username = 'validuser'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op          
FROM radcheck           WHERE username = 'validuser'           ORDER BY id
rlm_sql (sql): User found in radcheck table
        expand: SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM radreply          
WHERE username = 'validuser'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op          
FROM radreply           WHERE username = 'validuser'           ORDER BY id
        expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username = 'validuser'          
ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup          
WHERE username = 'validuser'           ORDER BY priority
        expand: SELECT id, groupname, attribute,           Value, op          
FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'          
ORDER BY id -> SELECT id, groupname, attribute,           Value, op          
FROM radgroupcheck           WHERE groupname = 'GROUP1'           ORDER BY
id

rlm_sql_mysql: query:  SELECT id, groupname, attribute,           Value, op          
FROM radgroupcheck           WHERE groupname = 'GROUP1'           ORDER BY
id
rlm_sql (sql): Released sql socket id: 6
++[sql] returns ok

Should this module return FAIL if group check fails?


Ivan Kalik wrote:
> 
>>See in debug output a valid user with valid password comes from wrong
>>NAS-IP-Address which does not belong to check attributes of the user's
group
>>
>>++[sql] returns ok
> 
> That is wrong. If group check fails sql should return notfound. Check
> your sql entries again. Have you altered default sql queries in some way
> (you have left them out of the debug)?
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18614701.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

More information about the Freeradius-Users mailing list