v2.1.10 Why authorize_group check & reply query changed?
Phil Mayers
p.mayers at imperial.ac.uk
Sat Jun 9 10:49:22 CEST 2012
On 06/08/2012 11:28 PM, JustJoe wrote:
> Can anyone tell me why it was decided to limit the functionality in v2 by
> replacing the old queries?? I have tried replacing the new one with the
> old, and it seems to work perfectly again.
In fact, functionality was added, not limited.
(n.b. I'm working from memory here)
The old queries effectively merged the check & reply items for all
groups the user is a member of before comparing them / setting reply
items. This can be a pain if you have NAS-specific check items. For
example, if you have groups "VPN users" and "Wireless users" both of
which have a different comparison for NAS-Port-Type, and a user is a
member of both, the merged check items can never match.
The rlm_sql source code & queries were changed to run the queries one
group at a time, and look for / honour the Fall-Through attribute in a
manner similar to the "users" file. That is:
1. Select all entries from radcheck/radreply for the users
2. Select all groups the user is a member of
3. For each group
4. select from radgroupcheck/radgroupreply
5. If check items do not match, goto next group, restart from #4
6. set reply items
7. If not Fall-Through==yes, stop
8. Else, goto next group, restart from #4
Step 7 is the key; if you want all groups to be processed, simply insert
"Fall-Through", "=", "Yes" in the radgroupreply table.
Do note that this will mean more SQL queries, though each with fewer
result rows. This is unlikely to matter unless your SQL database is
particularly slow.
> I guess the more important question I am asking is whether I will have any
> problems just using the old queries in the new dialup.conf script?
The whole point is you can use any queries you want; if those work
better for you, then use them. But do be aware of why they changed, and
the alternatives (Fall-Through)
More information about the Freeradius-Users
mailing list