sql module behavior differs from 2.2.1 to 3.0.0 ?

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Oct 24 00:25:09 CEST 2013 

On 23 Oct 2013, at 13:28, Philippe MARASSE <philippe.marasse at ch-poitiers.fr> wrote:

> Le 23/10/2013 14:12, Arran Cudbard-Bell a écrit :
>>> (2) sql :       expand: "%{User-Name}" -> '002324609e3f'
>>> (2) sql : SQL-User-Name set to "002324609e3f"
>>> rlm_sql (sql): Reserved connection (4)
>>> (2) sql :       expand: "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" -> 'SELECT id, username, attribute, value, op FROM radcheck WHERE
>>> username = '002324609E3F' ORDER BY id'
>>> rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = '002324609E3F' ORDER BY id'
>>> (2) sql :       expand: "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" -> 'SELECT groupname FROM radusergroup WHERE username = '002324609E3F' ORDER BY
>>> priority'
>>> rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = '002324609E3F' ORDER BY priority'
>>> rlm_sql (sql): Released connection (4)
>>> (2)   [sql] = noop
>> It’s consistent with the users file, which also returns noop if not entries match.
>> 
>> Things like rlm_ldap are different because you’re looking for a specific object in the directory, so it’s ok to return notfound.
>> 
>> I guess both rlm_files and rlm_sql could return notfound if no key matched, and noop if no entry matched. Do people think this would be a useful distinction?
>> 
>> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>> FreeRADIUS Development Team
>> 
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> Thanks for your answer. Maybe I was mistaken to rely on sql return code in the authorize section ?
> 
> If it's consistent with other modules, I'd rather modify my authenticate section to do a sql query in order to check the presence of the user, shouldn't I ?

Um, nope. That’s not authentication…

I’ve modified the behaviour to return notfound if the user *really* wasn’t found, as in there’s mention of the user at all, and there’s no default user, and there’s no profile user.

If the user was found, but check items prevented the entry being used rlm_sql now returns NOOP, else if an entry matched it now returns OK.

Also modified group processing a bit, so you can disable the check and reply queries if you want.

Really rlm_sql should also return updated if it added any control or reply items, i’ll have a look at that tomorrow if I find some spare time.

If the mean time i’d appreciate it if you could test v3.0.x or master to check behaviour is as you expect.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

More information about the Freeradius-Users mailing list