Make sense of SQL Huntgroup HOWTO?

Alan DeKok aland at deployingradius.com
Fri Dec 18 23:33:39 CET 2015


On Dec 18, 2015, at 3:55 PM, Joel Bergmark <joel.bergmark at t3.se> wrote:
> I copy pasted the rules as you wrote them but they didn't work it allows a user defined as 2ndline to log on to equipment that’s 3rdline.

  Because one rule does one check... which does one thing.  If you want something *else*, you have to add another rule.

  My goal was to get you to understand it a piece at a time.  And to hope that once you understood it, you could extend it.

> I'm not enjoying to not be as clear as I would normally be, I work with networks, not so much freeradius or coding.

  Again, if you don't understand coding, you will have a *very* bad time.

 Creating these rules *is* coding.  if / then / else checks, etc.

> This is what I ran:
> 
>        update request {
>                Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}"
>        }
>        if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) {
>                reject
>        }

  Honestly, this shouldn't be difficult.  You can read off that rule pretty much as straightforward english.  It does one thing, and only one thing.  If you want something else... write an additional rule.

  You seem to think that you can solve the problem by trying random things.  You can't.  That's not how programming works.

  You have to *understand* what you're doing.  And write down what the requirements are.  In detail.  Write down which situations the users should get access, and which situations they should be denied.  Then, implement that in "unlang".

  Alan DeKok.




More information about the Freeradius-Users mailing list