SQL auth against existing database

Brian Julin BJulin at clarku.edu
Thu Mar 29 01:55:25 CEST 2018

Charles Sprickman wrote:
> I’m looking through the SQL docs on the wiki, and they seem very complete, but I’m not quite grasping how to accomplish what I want.

Most of those docs pertain to automatic behaviors for using a preconfigured schema
which the rlm_sql has special code to handle.

> What I’d like to do is this:
> - Use existing db for user/pass check
> - Use static files for everything else
> - Optionally alter my sql query based on which client is asking for auth

> Is this possible?

Most likely.  In addition to providing behaviors for auth/acct/etc, rlm_sql also provides
what is known as an "xlate".  You'd want to configure an additional (named) instance of
the sql module by copying sql.conf, chopping some unused bits of it out, adding a name
before the first brace, and configuring the parameters to access your db.  Then include that file
either automatically by putting it in mods_enabled or via an explicit include directory.

Henceforth you can refer to that module by the name you gave it rather than "sql" and
create as many as you need for as many databases as you use.

Now, instead of adding that module as a step in one of the phases (authenticate/authorize/etc)
you use an xlate to launch an sql query that evaluates to your password, and shove that password
in the Cleartext-Password attribute in the authenticate section before FreeRADIUS needs to
check the password.

update control {
   Cleartext-Password := "%{mymodulename:SELECT pw_passwd FROM `mytable` WHERE pw_name = '%{Stripped-User-Name}'"

... or something like that.  You can use unlang expressions/statements to decide which update block to run
based on attributes in the request to get different per-user behavior.

More information about the Freeradius-Users mailing list