v2.1.10 Why authorize_group check & reply query changed?
JustJoe
yjoe at yahoo.com
Sat Jun 9 00:28:18 CEST 2012
For several years we have been happy using early v1 distributions of
FreeRadius with a MySQL database on SuSe Linux. However, machines wear out
and security issues are resolved so decided it was time to upgrade to
v2.1.10 which is available as a package in Ubuntu 12.04.
Instead of just copying over all the config files and correcting the
directory pointers, I went through the process of updating the new
radiusd.conf, sites-available/default, sql.conf, and dialup.conf files. I
have been able to successfully authenticate & authorize test users using
radtest. However, group membership did not work correctly as it did before.
We use a system where most users are members of at least 2 groups, meaning
that each will have 2 entries in the radusergroup table, one for each group
it belongs to. In the previous production installation, each user would
properly receive all the attributes of both groups. On the new test system
however, they only receive the attributes of their first radusergroup entry
in the list based on the priority entry.
Research has shown that there was a BIG change in the group queries.
v1:
authorize_group_check_query = "SELECT
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op
FROM ${groupcheck_table},${usergroup_table} WHERE
${usergroup_table}.Username = '%{SQL-User-Name}' AND
${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY
${groupcheck_table}.id"
authorize_group_reply_query = "SELECT
${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op
FROM ${groupreply_table},${usergroup_table} WHERE
${usergroup_table}.Username = '%{SQL-User-Name}' AND
${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY
${groupreply_table}.id"
v2:
authorize_group_check_query = "SELECT id, groupname, attribute, \
Value, op \
FROM ${groupcheck_table} \
WHERE groupname = '%{Sql-Group}' \
ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, \
value, op \
FROM ${groupreply_table} \
WHERE groupname = '%{Sql-Group}' \
ORDER BY id"
Can anyone tell me why it was decided to limit the functionality in v2 by
replacing the old queries?? I have tried replacing the new one with the
old, and it seems to work perfectly again.
I guess the more important question I am asking is whether I will have any
problems just using the old queries in the new dialup.conf script?
--
View this message in context: http://freeradius.1045715.n5.nabble.com/v2-1-10-Why-authorize-group-check-reply-query-changed-tp5713626.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list