Some SQL radgroupcheck/reply troubles.

Anton Borisov antonio at mccinet.ru
Tue Jan 13 12:44:50 CET 2009


Good day!

I try to understand some of SQL selects in oracle.conf in Freeradius.
I think, I have found incorrect sql selects in radgroupcheck/radgrpoupreply.

Let me show it:
First of all - typical install freeradius2.1.1 with oracle.
I can see this selects in sql.conf for dialup.oracle.conf

###########################
authorize_group_check_query = " \
SELECT 
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op 
\
FROM ${groupcheck_table},${usergroup_table} \
WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' \
     AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName \
ORDER BY ${groupcheck_table}.id"


authorize_group_reply_query = " \
SELECT 
${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op 
\
FROM ${groupreply_table},${usergroup_table} \
WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' \
     AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName \
ORDER BY ${groupreply_table}.id"


#######################
user in sql:
in radcheck
USERNAME    ATTRIBUTE    OP VALUE
c-user    User-Password    =    c-password
in radreply
c-user    Reply-Message += c-reply

in usergroup
USERNAME    GROUPNAME    PRIORITY
c-user        a-group        10
c-user        b-group         5

in radgroupreply
GROUPNAME  ATTRIBUTE        OP VALUE
a-group    Reply-Message   += a-group
b-group    Reply-Message   += b-group


Ok, let try to make radclient requests for my c-user user:
Here is debug about sql select in freeradius2.1.1

Tue Jan 13 13:03:07 2009 : Debug: rlm_sql (sqlauth): Reserving sql 
socket id: 1
Tue Jan 13 13:03:07 2009 : Info: [sqlauth]     expand:  SELECT 
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 
'%{SQL-User-Name}' ORDER BY id ->  SELECT id,UserName,Attribute,Value,op 
FROM radcheck WHERE Username = 'c-user' ORDER BY id
Tue Jan 13 13:03:07 2009 : Info: Invalid operator for item 
User-Password: reverting to '=='
Tue Jan 13 13:03:07 2009 : Info: [sqlauth] User found in radcheck table
Tue Jan 13 13:03:07 2009 : Info: [sqlauth]     expand:  SELECT 
id,UserName,Attribute,Value,op FROM radreply WHERE Username = 
'%{SQL-User-Name}' ORDER BY id ->  SELECT id,UserName,Attribute,Value,op 
FROM radreply WHERE Username = 'c-user' ORDER BY id
Tue Jan 13 13:03:07 2009 : Info: [sqlauth]     expand:  SELECT GroupName 
FROM usergroup WHERE UserName='%{SQL-User-Name}' order by priority DESC 
->  SELECT GroupName FROM usergroup WHERE UserName='c-user' order by 
priority DESC
Tue Jan 13 13:03:07 2009 : Info: [sqlauth]     expand:  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
FROM radgroupcheck,usergroup WHERE usergroup.Username = 
'%{SQL-User-Name}'     AND usergroup.GroupName = radgroupcheck.GroupName 
ORDER BY radgroupcheck.id ->  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'c-user'     AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
Tue Jan 13 13:03:07 2009 : Info: [sqlauth] User found in group a-group

^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Only one group here!!!!!!!!!!!!!!

Tue Jan 13 13:03:07 2009 : Info: [sqlauth]     expand:  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE usergroup.Username = 
'%{SQL-User-Name}'     AND usergroup.GroupName = radgroupreply.GroupName 
ORDER BY radgroupreply.id ->  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE usergroup.Username = 'c-user'     AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
Tue Jan 13 13:03:07 2009 : Debug: rlm_sql (sqlauth): Released sql socket 
id: 1
Tue Jan 13 13:03:07 2009 : Info: ++[sqlauth] returns ok



And here is answer (radclient)
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=87, 
length=47
     Reply-Message = "c-reply"
     Reply-Message = "b-group"
     Reply-Message = "a-group"

Why?

If we try to use SELECT from debug we can see that select pull user from 
  a-group and b-group in ONLY the one request:

Try to make sql select:
 >>>SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE usergroup.Username = 'c-user'     AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id;

And we see:
GROUPNAME  ATTRIBUTE        VALUE     OP
b-group    Reply-Message    b-group     +=
a-group    Reply-Message    a-group     +=

Next, if we add into a-group: Fall-Through       =  Yes
we can see the same select several times:

Tue Jan 13 14:29:11 2009 : Debug: rlm_sql (sqlauth): Reserving sql 
socket id: 1
Tue Jan 13 14:29:11 2009 : Info: [sqlauth] 	expand:  SELECT 
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 
'%{SQL-User-Name}' ORDER BY id ->  SELECT id,UserName,Attribute,Value,op 
FROM radcheck WHERE Username = 'c-user' ORDER BY id
Tue Jan 13 14:29:11 2009 : Info: Invalid operator for item 
User-Password: reverting to '=='
Tue Jan 13 14:29:11 2009 : Info: [sqlauth] User found in radcheck table
Tue Jan 13 14:29:11 2009 : Info: [sqlauth] 	expand:  SELECT 
id,UserName,Attribute,Value,op FROM radreply WHERE Username = 
'%{SQL-User-Name}' ORDER BY id ->  SELECT id,UserName,Attribute,Value,op 
FROM radreply WHERE Username = 'c-user' ORDER BY id
Tue Jan 13 14:29:11 2009 : Info: [sqlauth] 	expand:  SELECT GroupName 
FROM usergroup WHERE UserName='%{SQL-User-Name}' order by priority DESC 
->  SELECT GroupName FROM usergroup WHERE UserName='c-user' order by 
priority DESC
Tue Jan 13 14:29:11 2009 : Info: [sqlauth] 	expand:  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
FROM radgroupcheck,usergroup WHERE usergroup.Username = 
'%{SQL-User-Name}' 	AND usergroup.GroupName = radgroupcheck.GroupName 
ORDER BY radgroupcheck.id ->  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'c-user' 	AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
Tue Jan 13 14:29:11 2009 : Info: [sqlauth] User found in group a-group
Tue Jan 13 14:29:11 2009 : Info: [sqlauth] 	expand:  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE usergroup.Username = 
'%{SQL-User-Name}' 	AND usergroup.GroupName = radgroupreply.GroupName 
ORDER BY radgroupreply.id ->  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE usergroup.Username = 'c-user' 	AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
Tue Jan 13 14:29:11 2009 : Info: [sqlauth] 	expand:  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
FROM radgroupcheck,usergroup WHERE usergroup.Username = 
'%{SQL-User-Name}' 	AND usergroup.GroupName = radgroupcheck.GroupName 
ORDER BY radgroupcheck.id ->  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'c-user' 	AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
Tue Jan 13 14:29:11 2009 : Info: [sqlauth] User found in group b-group

^^^^^^^^^^^^^^^^^ Another select the SAME!! ^^^^^^^^^^^^^^^^^^^^^^^^^^

Tue Jan 13 14:29:11 2009 : Info: [sqlauth] 	expand:  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE usergroup.Username = 
'%{SQL-User-Name}' 	AND usergroup.GroupName = radgroupreply.GroupName 
ORDER BY radgroupreply.id ->  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE usergroup.Username = 'c-user' 	AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
Tue Jan 13 14:29:11 2009 : Debug: rlm_sql (sqlauth): Released sql socket 
id: 1
Tue Jan 13 14:29:11 2009 : Info: ++[sqlauth] returns ok


Here this select in sql:
SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE usergroup.Username = 'c-user' 	AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id

GROUPNAME  ATTRIBUTE 	   VALUE    OP
a-group    Fall-Through	   Yes			=
b-group    Reply-Message	b-group		+=
a-group    Reply-Message	a-group		+=

With or without Fall-Through we have the same result.





I think this is wrond because:
http://wiki.freeradius.org/index.php?title=Rlm_sql

1. Search the radcheck table for any check attributes specific to the user
YES

2. If check attributes are found, and there's a match, pull the reply 
items from the radreply table for this user and add them to the reply
YES

3. Group processing then begins if any of the following conditions are met:
           * The user IS NOT found in radcheck
           * The user IS found in radcheck, but the check items don't match
           * The user IS found in radcheck, the check items DO match AND 
Fall-Through is set in the radreply table
           * The user IS found in radcheck, the check items DO match AND 
the read_groups directive is set to 'yes'
YES

4. If groups are to be processed for this user, the first thing that is 
done is the list of groups this user is a member of is pulled from the 
usergroup table ordered by the priority field. The priority field of the 
usergroup table allows us to control the order in which groups are 
processed, so that we can emulate the ordering in the users file. This 
can be important in many cases.
YES

5. For each group this user is a member of, the corresponding check 
items are pulled from radgroupcheck table and compared with the request. 
If there is a match, the reply items for this group are pulled from the 
radgroupreply table and applied.
NO

6. Processing continues to the next group IF:
           * There was not a match for the last group's check items OR
           * Fall-Through was set in the last group's reply items (The 
above is exactly the same as in the users file)
NO

7. Finally, if the user has a User-Profile attribute set or the Default 
Profile option is set in the sql.conf, then steps 4-6 are repeated for 
the groups that the profile is a member of.
NO


Well, in debug we can see only one group-request with ALL groups 
parameters where user belong to and only ONE group-reply with ALL groups 
  parameters where user belong to.. I.e one groupcheck/groupreply with 
all groups parameters...

Now, let me try to correct SELECT in dialup.oracle.conf. I add only one:
AND ${usergroup_table}.GroupName = '%{SQL-Group}', so, all group-select 
something like this:

###########################
authorize_group_check_query = " \
SELECT 
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op 
\
FROM ${groupcheck_table},${usergroup_table} \
WHERE (${usergroup_table}.Username = '%{SQL-User-Name}' \
         AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName \
         AND ${usergroup_table}.GroupName = '%{SQL-Group}' \
ORDER BY ${usergroup_table}.PRIORITY"

###########################
SELECT 
${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op 
\
FROM ${groupreply_table},${usergroup_table} \
WHERE (${usergroup_table}.Username = '%{SQL-User-Name}'\
     AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName \
     AND ${usergroup_table}.GroupName = '%{SQL-Group}' \
ORDER BY ${usergroup_table}.PRIORITY"



Here is debug with result in the same radius with the same request 
(without Fall-Through):


Tue Jan 13 13:21:33 2009 : Debug: rlm_sql (sqlauth): Reserving sql 
socket id: 1
Tue Jan 13 13:21:33 2009 : Info: [sqlauth]     expand:  SELECT 
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 
'%{SQL-User-Name}' ORDER BY id ->  SELECT id,UserName,Attribute,Value,op 
FROM radcheck WHERE Username = 'c-user' ORDER BY id
Tue Jan 13 13:21:33 2009 : Info: Invalid operator for item 
User-Password: reverting to '=='
Tue Jan 13 13:21:33 2009 : Info: [sqlauth] User found in radcheck table
Tue Jan 13 13:21:33 2009 : Info: [sqlauth]     expand:  SELECT 
id,UserName,Attribute,Value,op FROM radreply WHERE Username = 
'%{SQL-User-Name}' ORDER BY id ->  SELECT id,UserName,Attribute,Value,op 
FROM radreply WHERE Username = 'c-user' ORDER BY id
Tue Jan 13 13:21:33 2009 : Info: [sqlauth]     expand:  SELECT GroupName 
FROM usergroup WHERE UserName='%{SQL-User-Name}' order by priority DESC 
->  SELECT GroupName FROM usergroup WHERE UserName='c-user' order by 
priority DESC
Tue Jan 13 13:21:33 2009 : Info: [sqlauth]     expand:  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
FROM radgroupcheck,usergroup WHERE (usergroup.Username = 
'%{SQL-User-Name}' or usergroup.CLID = '%{Calling-Station-Id}')     AND 
usergroup.GroupName = radgroupcheck.GroupName AND usergroup.GroupName = 
'%{SQL-Group}' ORDER BY usergroup.PRIORITY ->  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
FROM radgroupcheck,usergroup WHERE (usergroup.Username = 'c-user' or 
usergroup.CLID = '250097000222612')     AND usergroup.GroupName = 
radgroupcheck.GroupName AND usergroup.GroupName = 'a-group' ORDER BY 
usergroup.PRIORITY
Tue Jan 13 13:21:34 2009 : Info: [sqlauth] User found in group a-group

^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Again Only one group here!!!!!!!!!!!!!!

Tue Jan 13 13:21:34 2009 : Info: [sqlauth]     expand:  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE (usergroup.Username = 
'%{SQL-User-Name}' OR usergroup.CLID = '%{Calling-Station-Id}')     AND 
usergroup.GroupName = radgroupreply.GroupName AND usergroup.GroupName = 
'%{SQL-Group}' ORDER BY usergroup.PRIORITY ->  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE (usergroup.Username = 'c-user' OR 
usergroup.CLID = '250097000222612')     AND usergroup.GroupName = 
radgroupreply.GroupName AND usergroup.GroupName = 'a-group' ORDER BY 
usergroup.PRIORITY
Tue Jan 13 13:21:34 2009 : Debug: rlm_sql (sqlauth): Released sql socket 
id: 1
Tue Jan 13 13:21:34 2009 : Info: ++[sqlauth] returns ok


Answer:
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=116, 
length=38
     Reply-Message = "c-reply"
     Reply-Message = "a-group"


We can see user found in only one group (And only one select). But - we 
did not use Fall-Through','=','Yes. (See 6. Processing continues to the 
next group IF: in wiki Freeradius sql). And we can see only ONE group in 
select from radgroupreply:

SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE (usergroup.Username = 'c-user' OR 
usergroup.CLID = '250097000222612')     AND usergroup.GroupName = 
radgroupreply.GroupName AND usergroup.GroupName = 'a-group' ORDER BY 
usergroup.PRIORITY;

GROUPNAME  ATTRIBUTE      VALUE     OP
a-group    Reply-Message   a-group +=

Only one group.


Well, just add Fall-Through:
radgroupreply
GROUPNAME  ATTRIBUTE        OP VALUE
a-group    Reply-Message       += a-group
b-group    Reply-Message       += b-group
a-group    Fall-Through       =  Yes


Here is result:

ue Jan 13 13:28:04 2009 : Debug: rlm_sql (sqlauth): Reserving sql socket 
id: 0
Tue Jan 13 13:28:04 2009 : Info: [sqlauth]     expand:  SELECT 
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 
'%{SQL-User-Name}' ORDER BY id ->  SELECT id,UserName,Attribute,Value,op 
FROM radcheck WHERE Username = 'c-user' ORDER BY id
Tue Jan 13 13:28:04 2009 : Info: Invalid operator for item 
User-Password: reverting to '=='
Tue Jan 13 13:28:04 2009 : Info: [sqlauth] User found in radcheck table
Tue Jan 13 13:28:04 2009 : Info: [sqlauth]     expand:  SELECT 
id,UserName,Attribute,Value,op FROM radreply WHERE Username = 
'%{SQL-User-Name}' ORDER BY id ->  SELECT id,UserName,Attribute,Value,op 
FROM radreply WHERE Username = 'c-user' ORDER BY id
Tue Jan 13 13:28:04 2009 : Info: [sqlauth]     expand:  SELECT GroupName 
FROM usergroup WHERE UserName='%{SQL-User-Name}' order by priority DESC 
->  SELECT GroupName FROM usergroup WHERE UserName='c-user' order by 
priority DESC
Tue Jan 13 13:28:04 2009 : Info: [sqlauth]     expand:  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
FROM radgroupcheck,usergroup WHERE (usergroup.Username = 
'%{SQL-User-Name}' or usergroup.CLID = '%{Calling-Station-Id}')     AND 
usergroup.GroupName = radgroupcheck.GroupName AND usergroup.GroupName = 
'%{SQL-Group}' ORDER BY usergroup.PRIORITY ->  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
FROM radgroupcheck,usergroup WHERE (usergroup.Username = 'c-user' or 
usergroup.CLID = '250097000222612')     AND usergroup.GroupName = 
radgroupcheck.GroupName AND usergroup.GroupName = 'a-group' ORDER BY 
usergroup.PRIORITY
Tue Jan 13 13:28:04 2009 : Info: [sqlauth] User found in group a-group

^^^^^^^^^^^^^^^^ We can see a-group check ^^^^^^^^^^^^^^^^^^^^^^^^^

Tue Jan 13 13:28:04 2009 : Info: [sqlauth]     expand:  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE (usergroup.Username = 
'%{SQL-User-Name}' OR usergroup.CLID = '%{Calling-Station-Id}')     AND 
usergroup.GroupName = radgroupreply.GroupName AND usergroup.GroupName = 
'%{SQL-Group}' ORDER BY usergroup.PRIORITY ->  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE (usergroup.Username = 'c-user' OR 
usergroup.CLID = '250097000222612')     AND usergroup.GroupName = 
radgroupreply.GroupName AND usergroup.GroupName = 'a-group' ORDER BY 
usergroup.PRIORITY
Tue Jan 13 13:28:04 2009 : Info: [sqlauth]     expand:  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
FROM radgroupcheck,usergroup WHERE (usergroup.Username = 
'%{SQL-User-Name}' or usergroup.CLID = '%{Calling-Station-Id}')     AND 
usergroup.GroupName = radgroupcheck.GroupName AND usergroup.GroupName = 
'%{SQL-Group}' ORDER BY usergroup.PRIORITY ->  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
FROM radgroupcheck,usergroup WHERE (usergroup.Username = 'c-user' or 
usergroup.CLID = '250097000222612')     AND usergroup.GroupName = 
radgroupcheck.GroupName AND usergroup.GroupName = 'b-group' ORDER BY 
usergroup.PRIORITY
Tue Jan 13 13:28:04 2009 : Info: [sqlauth] User found in group b-group

^^^^^^^^^^^^^^^^^^^^^^ And we can see b-group check^^^^^^^^^^^^^^^^^^^^

Tue Jan 13 13:28:04 2009 : Info: [sqlauth]     expand:  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE (usergroup.Username = 
'%{SQL-User-Name}' OR usergroup.CLID = '%{Calling-Station-Id}')     AND 
usergroup.GroupName = radgroupreply.GroupName AND usergroup.GroupName = 
'%{SQL-Group}' ORDER BY usergroup.PRIORITY ->  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE (usergroup.Username = 'c-user' OR 
usergroup.CLID = '250097000222612')     AND usergroup.GroupName = 
radgroupreply.GroupName AND usergroup.GroupName = 'b-group' ORDER BY 
usergroup.PRIORITY
Tue Jan 13 13:28:04 2009 : Debug: rlm_sql (sqlauth): Released sql socket 
id: 0
Tue Jan 13 13:28:04 2009 : Info: ++[sqlauth] returns ok


And correct result:
rad_recv: Access-Accept packet from host 127.0.0.01 port 1812, id=133, 
length=47
     Reply-Message = "c-reply"
     Reply-Message = "a-group"
     Reply-Message = "b-group"


All in all:
We have TWO selects about TWO groups and we use Fall-Through for check 
all groups. All are working!

First select in debug:
  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE (usergroup.Username = 'c-user' OR 
usergroup.CLID = '250097000222612')     AND usergroup.GroupName = 
radgroupreply.GroupName AND usergroup.GroupName = 'a-group' ORDER BY 
usergroup.PRIORITY

GROUPNAME  ATTRIBUTE        VALUE     OP
a-group    Fall-Through       Yes         =
a-group    Reply-Message    a-group     +=

Second select:
SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE (usergroup.Username = 'c-user' OR 
usergroup.CLID = '250097000222612')     AND usergroup.GroupName = 
radgroupreply.GroupName AND usergroup.GroupName = 'b-group' ORDER BY 
usergroup.PRIORITY

GROUPNAME  ATTRIBUTE      VALUE      OP
b-group    Reply-Message   b-group +=



What do you think?


-- 
Yours faithfully,
Anton Borisov.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3364 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090113/fc73ee6c/attachment.bin>


More information about the Freeradius-Users mailing list