Reject user from SQL-DB
JB
list.freeradius at mac.com
Tue Mar 4 21:29:04 CET 2008
Phil Mayers (29.02.2008):
> JB wrote:
>> Phil Mayers:
>>> JB wrote:
>>>> I'm sorry, I have to ask again. Have you found a way to let the
>>>> reply query know that the user has already been rejected in the
>>>> check-query? I'm trying to avoid executing the same queries twice
>>>> and also to avoid using temporary tables.
>>>
>>> I thought I'd answered this?
>>> """What you could do is place a local attribute in the check
>>> items, then copy it to the reply items in an unlang section..."""
>>> Which you said worked in a later email
>> Sorry if I haven't made myself clear enough. These were two
>> different things.
>> On the on hand, I wanted to return a Reply-Message to the user
>> which is set in one of the two queries, which works fine the way
>> you proposed.
>> On the other hand, I wanted to avoid executing unnecessary sub-
>> queries in the reply query (a stored procedure in my case), or the
>> reply query itself, if the user has already been rejected in the
>> check query. It seems that the reply query is always executed. And
>> if I call the stored procedure with attributes like "%{control:Auth-
>> Type}" or "%{control:My-Reply}", they don't get resolved although
>> they're set in the first query.
>> In pseudo-code:
>> Check query: reject user because of reason 'xyz', set My-Attr to
>> 'xyz'. [works]
>> If rejected, don't call reply query (or at least call reply query
>> with resolved attributes to avoid unnecessary sub-queries) [doesn't
>> work]
>> If rejected copy My-Attr to Reply-Message [works]
>
> Ah I see.
>
> No, the "sql" module doesn't work that way - if *any* check pairs
> are returned (and match) the reply query is run, but the
> pairxlatmove() is done *after* the reply query is done - i.e. it
> does this:
>
> check_items = sql(check_query)
> if paircompare(request, check_items):
> reply_items = sql(reply_query)
> pairxlatmove(request->reply_items, reply_items)
> pairxlatmove(request->check_items, check_items)
>
> The only way you could change this would be with source-code patches
> or use rlm_perl/python to do the logic you want.
>
> Arguably the check items pairxlatmove() should be before the reply
> query, but then if the xlat of the reply query or reply query itself
> fail, you'd have added check items without corresponding reply items
> (but the module would have returned a fail error code, so it's
> probably not a big deal)
>
> You could move the check items pairxlatmove() call - it's line 669
> in src/modules/rlm_sql/rlm_sql.c in my copy of 2.0.0, and would need
> to move to just above line 651 i.e. the radius_xlat of the reply
> query.
Thanks a lot, your help really is appreciated! I'll try that.
Do you think there is a chance that this patch would make it into a
final release? Could this break current installations in any way?
JB
More information about the Freeradius-Users
mailing list