sql module behavior differs from 2.2.1 to 3.0.0 ?
Philippe MARASSE
philippe.marasse at ch-poitiers.fr
Fri Oct 25 15:16:58 CEST 2013
On 24/10/2013 00:25, Arran Cudbard-Bell wrote:
> On 23 Oct 2013, at 13:28, Philippe MARASSE <philippe.marasse at ch-poitiers.fr> wrote:
>
>> Le 23/10/2013 14:12, Arran Cudbard-Bell a écrit :
>>>> (2) sql : expand: "%{User-Name}" -> '002324609e3f'
>>>> (2) sql : SQL-User-Name set to "002324609e3f"
>>>> rlm_sql (sql): Reserved connection (4)
>>>> (2) sql : expand: "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" -> 'SELECT id, username, attribute, value, op FROM radcheck WHERE
>>>> username = '002324609E3F' ORDER BY id'
>>>> rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = '002324609E3F' ORDER BY id'
>>>> (2) sql : expand: "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" -> 'SELECT groupname FROM radusergroup WHERE username = '002324609E3F' ORDER BY
>>>> priority'
>>>> rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = '002324609E3F' ORDER BY priority'
>>>> rlm_sql (sql): Released connection (4)
>>>> (2) [sql] = noop
>>> It’s consistent with the users file, which also returns noop if not entries match.
>>>
>>> Things like rlm_ldap are different because you’re looking for a specific object in the directory, so it’s ok to return notfound.
>>>
>>> I guess both rlm_files and rlm_sql could return notfound if no key matched, and noop if no entry matched. Do people think this would be a useful distinction?
>>>
>>> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>>> FreeRADIUS Development Team
>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>> Thanks for your answer. Maybe I was mistaken to rely on sql return code in the authorize section ?
>>
>> If it's consistent with other modules, I'd rather modify my authenticate section to do a sql query in order to check the presence of the user, shouldn't I ?
> Um, nope. That’s not authentication…
Indeed. I've forgotten to mention that for the moment our network
switches do MAC "Autentication", where username = password = mac-address
so in order to authorize access to the right VLAN, a simple check of
user existence is enough.
>
> I’ve modified the behaviour to return notfound if the user *really* wasn’t found, as in there’s mention of the user at all, and there’s no default user, and there’s no profile user.
>
> If the user was found, but check items prevented the entry being used rlm_sql now returns NOOP, else if an entry matched it now returns OK.
>
> Also modified group processing a bit, so you can disable the check and reply queries if you want.
>
> Really rlm_sql should also return updated if it added any control or reply items, i’ll have a look at that tomorrow if I find some spare time.
>
> If the mean time i’d appreciate it if you could test v3.0.x or master to check behaviour is as you expect.
Great :-), I'll test that mid next week as I'm actually on holidays.
Rdgs.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4539 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131025/d7dde590/attachment-0001.bin>
More information about the Freeradius-Users
mailing list