Dynamic User Help
J Kephart
jkephart at safetynetaccess.com
Tue Feb 23 22:28:38 CET 2016
On 02/23/2016 03:36 PM, Alan DeKok wrote:
> On Feb 23, 2016, at 3:32 PM, J Kephart <jkephart at safetynetaccess.com> wrote:
>> OK, so we're finally at the point at which we're attempting to integrate
>> this into our configuration. The intent, per Alan's guidance, is to
>> insert the following statements at the top of the authorize section:
>>
> User-Group-Name needs to be in an "update" section. See "man unlang".
>
> update request {
> User-Group-Name = "%{sql: ...
> }
>
>
> That can be simplified to:
>
> if (&User-Group-Name != "") {
>
> You can't just put SQL statements into a block. You need an "update" section. See again "man unlang". e.g.:
>
> update request {
> Tmp-String-0 := "%{sql:UPDATE ...}"
> }
>
> You'll have to ensure that the RADIUS server is allowed to edit the radusergroup table. IIRC, the default permissions don't allow this.
>
> Alan DeKok.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
As ever, thanks, Alan. Somehow, I knew that I'd missed something in the
sql update bit. My confusion comes from the final "else" statement; I
would think that it belongs inside the update section as well. Would it
be "safe" to encapsulate the queries in a single update section, as below?
if ("%{Called-Station-Id}" =~ "^<some-mac-prefix>") {
update request {
User-Group-Name = "%{sql: SELECT group_name from <table_name> where \
site_id='%{NAS-Identifier}' and
mac_address='%{Calling-Station-Id}' \
and vlan_id='%{NAS-Port-Id}'}"
if (&User-Group-Name != "" {
Tmp-String-0 := "%{sql: update radusergroup set \
groupname='%{User-Group-Name}' \
where username='%{Calling-Station-Id}'}";
}
else {
reject
}
}
}
Cheers,
Jim
More information about the Freeradius-Users
mailing list