SQL SELECT statement

Alan DeKok aland at deployingradius.com
Tue May 19 22:58:28 CEST 2020


On May 19, 2020, at 3:38 AM, Charly <netflow at geosciences.ensmp.fr> wrote:
> 
> - i have local users stored in SQL database
> - i have LDAP users
> - in SQL database, i store Cisco-AVPair values for both of them

  That's fine.

> The SQL module doesn't process the radreply when user is not found in the radcheck table (=> LDAP users)

  That's how the SQL module is defined to work... see https://wiki.freeradius.org/modules/Rlm_sql

  You can't just put random SQL queries into the server and expect them to re-implement the entire SQL module.

  What you need to do is to re-phrase your problem:

	if user is in ldap
		then look user up in SQL with a fixed name
	else
		look user up in SQL with their user name

  This is relatively simple.  If you're not using realms / 802.1X, you can do:

authorize {
	...
	ldap
	if (ok) {
		update request {
			Stripped-User-Name := "LDAP"
		}
	}
	sql
	...

  And then edit the file mods-config/sql/main/mysql/queries.conf, to set:

sql_user_name = "%{Stripped-User-Name}:-%{%{User-Name}}"

  This will cause the SQL module to use Stripped-User-Name if it exists, otherwise it uses User-Name.

  And then the LDAP users can have a default entry in SQL, with user name "LDAP".  You can, of course, change that to anything else you want.

  Alan DeKok.




More information about the Freeradius-Users mailing list