Logging the matched SQL-Group

Brian Candler B.Candler at pobox.com
Thu Feb 24 13:23:49 CET 2011


Phil Mayers wrote:
> > When rlm_sql is running through each of a user's groups, the value
> > %{SQL-Group} is set for each iteration. However it's cleared at the end.
> 
> I assume you're talking about the "authorize" method where it searches
> radgroupcheck/radgroupreply, rather than:
> 
> if (SQL-Group == ...)
> 
> ...yes?

That's right. I'm talking about step 5 at
http://wiki.freeradius.org/Rlm_sql#SQL_Schema_and_usage

It doesn't mention there that Sql-Group is set, but I found it in the source
(grep for PW_SQL_GROUP, attribute 1079)

> > Is there a straightforward way of doing this? Because I can't see one right
> > now...
> 
> You could add:
> 
> My-Matched-Group += GROUPNAME
> 
> ...to the radgroupreply, then log this attribute?

Ah yes, of course - I can make a UNION query which always adds this
attribute, but the reply will only be appended if the group is matched.  Or
I could do it in the radgroupcheck, to add a control attribute.

Cheers!

Brian.



More information about the Freeradius-Users mailing list