SQL auth against existing database

Brian Julin BJulin at clarku.edu
Thu Mar 29 15:49:27 CEST 2018


Charles Sprickman <spork at bway.net> wrote:

> I commented out everything but two queries and opted to just do the work in the queries - one
> to actually auth and one to just sort of show that I can return AV pair:

That's another way to do it.

> What I’m having trouble with still is setting a variable based on the client the request comes from.
> In the query about you see that weird bitwise camparison (pw_gid & 256).  For some clients I want
> that to be 256, for others 64, etc.  Thoughts on that?  Not urgent and might never need it, but I’m
> trying to maintain parity with my prior setup.

A few ways tp go about it:

One is to Make another copy of your sql instance, give it a different name, and (I don't know what your criteria
are) then do something like:

if (User-Name ~= /\@something$/) {
   name_of_256_module
}
else {
   name_of_64_module
}

...instead of just calling the same module.

Another is to either define a local attribute in your dicts file (using the FreeRADIUS internal attribute
VSA range), or abuse an unused attribute:

if (User-Name ~= /\@something$/) {
   update control {
        My-Attrib := 256
   }
}
else {
   update control {
        My-Attrib := 64
   }
}

...and then put a %{control:My-Attrib} in the query string where the number should be.  Note the "control"
attribute set is the internal one that FreeRADIUS uses to keep state that it does not want to put in the
the request or reply or other attribute sets that correspond to actual packets.




More information about the Freeradius-Users mailing list