authorization: unlang/NAS-IP-Address
Ivan Kalik
tnt at kalik.net
Thu Jul 24 00:14:30 CEST 2008
No, it should return notfound.
I can confirm this. If check is put in radcheck table user will be
rejected but if check (that should fail) is put in radgroupcheck table
user is authenticated. That is not how things should work. It should
return notfound if there is no match in radgroupcheck too.
Ivan Kalik
Kalik Informatika ISP
Dana 23/7/2008, "leopold" <vova_b at yahoo.com> piše:
>
>Ivan,
>Even with default SQL query it returns OK, because user is defined properly,
>it is just check attributes of group do not match
>
>I went to the code and I saw that rlm_sql_process_groups function causes the
>whole module to return OK even though NAS-IP-Address attribute does not
>match
>Note it does not return attributes, it just return OK
>
>/*
> * rows == 0. This is like having the username on a line
> * in the user's file with no check vp's. As such, we treat
> * it as found and add the reply attributes, so that we
> * match expected behavior
> */
> found = 1;
> DEBUG2("rlm_sql (%s): User found in group %s",
> inst->config->xlat_name, group_list_tmp->groupname);
>
>
> User-Name = "validuser"
> User-Password = "validpasswd"
> NAS-IP-Address = y.y.y.1
>
>
>rlm_sql (sql): Reserving sql socket id: 6
> expand: SELECT id, username, attribute, value, op FROM
>radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
>-> SELECT id, username, attribute, value, op FROM radcheck
>WHERE username = 'validuser' ORDER BY id
>rlm_sql_mysql: query: SELECT id, username, attribute, value, op
>FROM radcheck WHERE username = 'validuser' ORDER BY id
>rlm_sql (sql): User found in radcheck table
> expand: SELECT id, username, attribute, value, op FROM
>radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
>-> SELECT id, username, attribute, value, op FROM radreply
>WHERE username = 'validuser' ORDER BY id
>rlm_sql_mysql: query: SELECT id, username, attribute, value, op
>FROM radreply WHERE username = 'validuser' ORDER BY id
> expand: SELECT groupname FROM radusergroup WHERE
>username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
>groupname FROM radusergroup WHERE username = 'validuser'
>ORDER BY priority
>rlm_sql_mysql: query: SELECT groupname FROM radusergroup
>WHERE username = 'validuser' ORDER BY priority
> expand: SELECT id, groupname, attribute, Value, op
>FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
>ORDER BY id -> SELECT id, groupname, attribute, Value, op
>FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY
>id
>
>rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
>FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY
>id
>rlm_sql (sql): Released sql socket id: 6
>++[sql] returns ok
>
>Should this module return FAIL if group check fails?
>
>
>Ivan Kalik wrote:
>>
>>>See in debug output a valid user with valid password comes from wrong
>>>NAS-IP-Address which does not belong to check attributes of the user's
>group
>>>
>>>++[sql] returns ok
>>
>> That is wrong. If group check fails sql should return notfound. Check
>> your sql entries again. Have you altered default sql queries in some way
>> (you have left them out of the debug)?
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>
>--
>View this message in context: http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18614701.html
>Sent from the FreeRadius - User mailing list archive at Nabble.com.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list