Quick enable/disable user account.

Christ Schlacta lists at aarcane.org
Wed Sep 14 06:10:44 CEST 2011


Not using mysql.  you must peruse the manual pages about how to do it in 
your mysql module, however, the magic lies in the users file.  you need 
a stanza similar to the following (but modified for sql)

DEFAULT Ldap-Group == "WifiDisabled", Auth-Type := Reject
                 Reply-Message = "Your account has been disabled."

On 9/13/2011 18:33, 2394263740 wrote:
> Christ,
> Thanks for your help.
> Can you please advise how to configurre a group reject access?
> Thanks!
> Tom
> ------------------ Original ------------------
> *From: 
> * "freeradius-users"<freeradius-users-request at lists.freeradius.org>;
> *Date: * Wed, Sep 14, 2011 02:01 AM
> *To: * "freeradius-users"<freeradius-users at lists.freeradius.org>;
> *Subject: * Freeradius-Users Digest, Vol 77, Issue 51
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. RE: Problem with rml_sqlcounter with GigaByte datavolume
>       (Nicolas FOUREL)
>    2. Re: Problem with rml_sqlcounter with GigaByte datavolume
>       (Suman Dash)
>    3. Re: Best Practices - maximum NAS entries in clients.conf
>       (Christ Schlacta)
>    4. Re: Quick enable/disable user account. (Christ Schlacta)
>    5. Re: Best Practices - maximum NAS entries in clients.conf
>       (Arran Cudbard-Bell)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 13 Sep 2011 18:30:55 +0200
> From: "Nicolas FOUREL" <nicolas.fourel at adipsys.com>
> Subject: RE: Problem with rml_sqlcounter with GigaByte datavolume
> To: "'FreeRadius users mailing list'"
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4e6f8544.8dc5e30a.148c.558f at mx.google.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi Arran,
>
> I have get version 3.0.0 with 64 bit counters support from Git and 
> installed
> it. Unfortunatly, I still have the same problem with my sql counter which
> has always "check_item=0" when I put a value bigger than 2^32. On
> Access-Request in debug mode, I have the following lines :
>
> Tue Sep 13 18:20:47 2011 : Debug: rlm_sqlcounter: (Check item - 
> counter) is
> less than zero
> Tue Sep 13 18:20:47 2011 : Debug: rlm_sqlcounter: Rejected user 
> foo at bar.com,
> check_item=0, counter=68882
>
> Here is my counter definition :
> sqlcounter totalinputoctets {
>         counter-name = Total-Max-Input-Octets
>         check-name = Max-Input-Octets
>         reply-name = ChilliSpot-Max-Input-Octets
>         sqlmod-inst = sql
>         key = User-Name
>         reset = never
>         query = "SELECT SUM(AcctInputOctets) FROM radacct WHERE
> UserName='%{%k}'"
> }
>
> I have added "Max-Input-Octets" in the dictionary file like that :
> ATTRIBUTE       Max-Input-Octets        3001    integer64
>
> In radcheck table:
> foo at bar.com Max-Input-Octets :=
> 107374182400
>
>
> Did I miss a thing ?
>
> Many thanks
>
> Nicolas
>
> -----Message d'origine-----
> De?:
> freeradius-users-bounces+nicolas.fourel=adipsys.com at lists.freeradius.org
> [mailto:freeradius-users-bounces+nicolas.fourel=adipsys.com at lists.freeradius
> .org] De la part de Arran Cudbard-Bell
> Envoy??: lundi 12 septembre 2011 11:46
> ??: FreeRadius users mailing list
> Objet?: Re: Problem with rml_sqlcounter with GigaByte datavolume
>
>
> On 12 Sep 2011, at 10:20, nfourel wrote:
>
> > Thanks for your reply but I can't find any version 3.x.x of freeRADIUS.
> Where
> > can I find it ?
> >
>
> http://git.freeradius.org/
>
> 3.x.x is currently in development on the master branch.
>
> -Arran
>
> Arran Cudbard-Bell
> a.cudbardb at freeradius.org
>
> RADIUS - Waging war on ignorance and apathy one Access-Challenge at a 
> time.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 13 Sep 2011 23:09:39 +0530
> From: Suman Dash <sumandash at gmail.com>
> Subject: Re: Problem with rml_sqlcounter with GigaByte datavolume
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID:
> <CAOywgS8G==MvAZPs=s18pYsN36mA+xzGScb9e0KvcPELOHFsng at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> SELECT SUM(AcctInputOctets) FROM radacct WHERE  UserName='username'
>
> Run the above query in mysql and post the result
>
> then post the freeradius log specific to this section.
>
> On Tue, Sep 13, 2011 at 10:00 PM, Nicolas FOUREL 
> <nicolas.fourel at adipsys.com
> > wrote:
>
> > Hi Arran,
> >
> > I have get version 3.0.0 with 64 bit counters support from Git and
> > installed
> > it. Unfortunatly, I still have the same problem with my sql counter 
> which
> > has always "check_item=0" when I put a value bigger than 2^32. On
> > Access-Request in debug mode, I have the following lines :
> >
> > Tue Sep 13 18:20:47 2011 : Debug: rlm_sqlcounter: (Check item - 
> counter) is
> > less than zero
> > Tue Sep 13 18:20:47 2011 : Debug: rlm_sqlcounter: Rejected user
> > foo at bar.com,
> > check_item=0, counter=68882
> >
> > Here is my counter definition :
> > sqlcounter totalinputoctets {
> >        counter-name = Total-Max-Input-Octets
> >        check-name = Max-Input-Octets
> >        reply-name = ChilliSpot-Max-Input-Octets
> >        sqlmod-inst = sql
> >        key = User-Name
> >        reset = never
> >        query = "SELECT SUM(AcctInputOctets) FROM radacct WHERE
> > UserName='%{%k}'"
> > }
> >
> > I have added "Max-Input-Octets" in the dictionary file like that :
> > ATTRIBUTE       Max-Input-Octets        3001    integer64
> >
> > In radcheck table:
> > foo at bar.com                     Max-Input-Octets                :=
> > 107374182400
> >
> >
> > Did I miss a thing ?
> >
> > Many thanks
> >
> > Nicolas
> >
> > -----Message d'origine-----
> > De :
> > freeradius-users-bounces+nicolas.fourel=adipsys.com at lists.freeradius.org
> > [mailto:freeradius-users-bounces+nicolas.fourel
> > =adipsys.com at lists.freeradius
> > .org] De la part de Arran Cudbard-Bell
> > Envoy? : lundi 12 septembre 2011 11:46
> > ? : FreeRadius users mailing list
> > Objet : Re: Problem with rml_sqlcounter with GigaByte datavolume
> >
> >
> > On 12 Sep 2011, at 10:20, nfourel wrote:
> >
> > > Thanks for your reply but I can't find any version 3.x.x of 
> freeRADIUS.
> > Where
> > > can I find it ?
> > >
> >
> > http://git.freeradius.org/
> >
> > 3.x.x is currently in development on the master branch.
> >
> > -Arran
> >
> > Arran Cudbard-Bell
> > a.cudbardb at freeradius.org
> >
> > RADIUS - Waging war on ignorance and apathy one Access-Challenge at 
> a time.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: 
> <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110913/59e78c63/attachment.html>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 13 Sep 2011 10:39:48 -0700
> From: Christ Schlacta <lists at aarcane.org>
> Subject: Re: Best Practices - maximum NAS entries in clients.conf
> To: freeradius-users at lists.freeradius.org
> Message-ID: <4E6F9564.1070103 at aarcane.org>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 9/13/2011 00:59, Fajar A. Nugraha wrote:
> > On Tue, Sep 13, 2011 at 2:43 PM, Phil 
> Mayers<p.mayers at imperial.ac.uk>  wrote:
> >> On 09/12/2011 10:42 PM, Fajar A. Nugraha wrote:
> >>> If I understand raddb/sites-available/dynamic-clients correctly, the
> >>> only way to store (well, to retrieve actualy) dynamic clients
> >>> definition in SQL is to use "%{sql:" expansion. Is there a way to make
> >>> it have some level of redundancy? Last time I check, "%{sql:" can't be
> >>> used on "virtual" modules (from instantiate or policy section) which
> >>> groups multiple sql instance together using "redundant".
> >>>
> >> You could also use "exec", rlm_perl/python or whatever, all of 
> which can
> >> themselves call SQL.
> > possible, though not ideal.
> >
> >> Or, perform an SQL query that MUST return some output, parse the 
> results and
> >> call the individual SQL modules directly - like so:
> >>
> >> update control {
> >>   Tmp-String-0 := "%{sql1:select name||','||secret ...}"
> >> }
> >> if (control:Tmp-String-0 == "") {
> >>   update control {
> >>     Tmp-String-0 := "%{sql2:...}"
> >>   }
> >> }
> > That's what we currently do (for another purpose, not for dynamic
> > client). However:
> > - I lost load-balancing feature that comes with redundant-load-balance
> > - imagine having to create 8 if-elsif block to properly catch error
> > when working with 8 sql nodes, and write the same sql query 8 times in
> > the configuration file. Works, but kinda messy.
> >
> > With current sql module (that only reads nas list from sql during
> > startup/HUP) I can use one sql/mysql/*.conf to specify the query, and
> > have each sql instance $INCLUDE it. If we can do similar thing with
> > "%{sql:" expansion (e.g. store the query in some temporary internal
> > variable/attribute) it'd be reduce the measiness greatly, but I
> > haven't found out how to do it yet.
> >
> why not make an arbitrary program that takes the SQL statement as an
> argument, and returns from the first successful connection.  it can take
> a random number between 0 and n-1 on the number of SQL servers you have,
> and start connecting from there.  you get failover and round-robin load
> balancing with the convenience of only having to write your query and
> your series of if-else-if statements once.
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 13 Sep 2011 10:46:21 -0700
> From: Christ Schlacta <lists at aarcane.org>
> Subject: Re: Quick enable/disable user account.
> To: freeradius-users at lists.freeradius.org
> Message-ID: <4E6F96ED.6080307 at aarcane.org>
> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
>
> On 9/13/2011 08:32, 2394263740 wrote:
> >
> > Hello,
> > I'm using free radius server 2.1.11 on Linux Enterprise Server 6.1.
> > OS: Linux Enterprise Server 6.1
> > Radius: free radius server 2.1.11
> > Database: Mysql
> >
> > Sometime, I need disable a user account in mysql database. And then
> > enable it later on after some check complete.
> >
> > Can you please advise how to toggle such status?
> >
> > There're may be multiple solutions, please advise them all, so I can
> > choose a one most fit the needs.
> >
> > Thanks!
> >
> > Tom
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> read up on mysql groups, then use a group that's configured to reject
> access.  add and delete members from that group as needed to disable and
> re-enable their account.  that's what groups are there for.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: 
> <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110913/5fec63c0/attachment.html>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 13 Sep 2011 20:01:14 +0200
> From: Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> Subject: Re: Best Practices - maximum NAS entries in clients.conf
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <97DF6DE5-5FDB-416C-A528-FDC68A1D4274 at freeradius.org>
> Content-Type: text/plain; charset=us-ascii
>
>
> On 13 Sep 2011, at 19:39, Christ Schlacta wrote:
>
> > On 9/13/2011 00:59, Fajar A. Nugraha wrote:
> >> On Tue, Sep 13, 2011 at 2:43 PM, Phil 
> Mayers<p.mayers at imperial.ac.uk>  wrote:
> >>> On 09/12/2011 10:42 PM, Fajar A. Nugraha wrote:
> >>>> If I understand raddb/sites-available/dynamic-clients correctly, the
> >>>> only way to store (well, to retrieve actualy) dynamic clients
> >>>> definition in SQL is to use "%{sql:" expansion. Is there a way to 
> make
> >>>> it have some level of redundancy? Last time I check, "%{sql:" 
> can't be
> >>>> used on "virtual" modules (from instantiate or policy section) which
> >>>> groups multiple sql instance together using "redundant".
> >>>>
> >>> You could also use "exec", rlm_perl/python or whatever, all of 
> which can
> >>> themselves call SQL.
> >> possible, though not ideal.
> >>
> >>> Or, perform an SQL query that MUST return some output, parse the 
> results and
> >>> call the individual SQL modules directly - like so:
> >>>
> >>> update control {
> >>>  Tmp-String-0 := "%{sql1:select name||','||secret ...}"
> >>> }
> >>> if (control:Tmp-String-0 == "") {
> >>>  update control {
> >>>    Tmp-String-0 := "%{sql2:...}"
> >>>  }
> >>> }
> >> That's what we currently do (for another purpose, not for dynamic
> >> client). However:
> >> - I lost load-balancing feature that comes with redundant-load-balance
> >> - imagine having to create 8 if-elsif block to properly catch error
> >> when working with 8 sql nodes, and write the same sql query 8 times in
> >> the configuration file. Works, but kinda messy.
> >>
> >> With current sql module (that only reads nas list from sql during
> >> startup/HUP) I can use one sql/mysql/*.conf to specify the query, and
> >> have each sql instance $INCLUDE it. If we can do similar thing with
> >> "%{sql:" expansion (e.g. store the query in some temporary internal
> >> variable/attribute) it'd be reduce the measiness greatly, but I
> >> haven't found out how to do it yet.
> >>
> > why not make an arbitrary program that takes the SQL statement as an 
> argument, and returns from the first successful connection.  it can 
> take a random number between 0 and n-1 on the number of SQL servers 
> you have, and start connecting from there.  you get failover and 
> round-robin load balancing with the convenience of only having to 
> write your query and your series of if-else-if statements once.
>
> Calling out to anything outside of FreeRADIUS comes with a big 
> performance penalty.
>
> I do sometimes wonder whether 'update config' would be useful as an 
> interim hack for some of this stuff.
>
> -Arran
>
> Arran Cudbard-Bell
> a.cudbardb at freeradius.org
>
> RADIUS - Waging war on ignorance and apathy one Access-Challenge at a 
> time.
>
>
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 77, Issue 51
> ************************************************
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110913/0f07988a/attachment.html>


More information about the Freeradius-Users mailing list