Freeradius 2.1-1: failure modes

leopold vova_b at yahoo.com
Wed Mar 11 19:41:30 CET 2009 

radius.conf
-------------
redundant redundant_sql {
#               sql1
                sql2
                fail <----- I tried to comment this line but it does not
help
        }

sites-enabled/default
---------------------
authorize {
	...
        redundant_sql
        if (fail) {
                update control {
                        # Do-Not-Respond        
                        Response-Packet-Type = 256
                }
                reject
        }
        elsif (notfound) {
                reject
        }
}


1) Success scenario debug output

rlm_sql (sql2): Released sql socket id: 8
+++[sql2] returns ok
++- group redundant_sql returns ok
++? if (fail)
? Evaluating (fail) -> FALSE
++? if (fail) -> FALSE
++? elsif (notfound)
? Evaluating (notfound) -> FALSE
++? elsif (notfound) -> FALSE
++[expiration] returns noop
++[logintime] returns noop

2) When I force DB down scenario
rlm_sql_unixodbc: Connection failed
rlm_sql (sql2): Failed to connect DB handle #5
rlm_sql (sql2): reconnect failed, database down?
rlm_sql_getvpdata: database query error
[sql2] SQL query error; rejecting user
rlm_sql (sql2): Released sql socket id: 5
+++[sql2] returns fail
+++[fail] returns fail
++- group redundant_sql returns fail
Invalid user: [xyz] (from client zzzz port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> xyz
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds


You see here it does not evaluate fail condition

Alan DeKok-2 wrote:
> 
> leopold wrote:
>> No luck.
>> For some reason unlang does not catch SQL fail return code.
> 
>   OK...
> 
>> Only if there is no failure I see it is evaluating return code it prints
>> in
>> debug mode
>> ++? if (fail)
>> ? Evaluating (fail) -> FALSE
> 
>   And you deleted the lines JUST ABOVE THAT which gave you the value of
> the return code.
> 
>   Why?
> 
>> But when SQL return really fails it does not evaluate this condition and
>> nothing is printed in debug mode.
> 
>   No.  The two-line output you included above shows that it *IS*
> evaluating the condition, but that for some reason it doesn't match.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: http://www.nabble.com/Freeradius-2.1-1%3A-failure-modes-tp22413666p22461816.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

More information about the Freeradius-Users mailing list