SQL Simultaneous usage checks
Alan DeKok
aland at deployingradius.com
Wed Jul 21 15:02:46 CEST 2021
On Jul 21, 2021, at 8:03 AM, David Herselman <dhe at syrex.co> wrote:
> Thank you for your feedback. A debug on the legacy FR v1 system is unfortunately not as granular as with FR v3, but it would appear that FR v1 (perhaps incorrectly) didn't replace := values from the SQL radcheck table with ':=' values returned by radgroupcheck.
Quite possibly. That version has been EOL for probably 10 years. In fact, even version 2 has been EOL for many years.
> Reading through https://wiki.freeradius.org/config/Operators bring me hope that I could possibly set the radcheck operator for this attribute as ':=' and then set the radgroupcheck operator as '=', but I'm concerned about the comment in the documentation that this is 'Not allowed as a check item for RADIUS protocol attributes.'
>
> My understanding of using the '+=' operator is that the resulting value would be 24, is this incorrect?
That's not correct. See the documentation for the "+=" operator.
And yes, you could use ":=" for radcheck, and "=" for radgroupcheck. That would work, too.
> PS: Thank you for your recommendation on replacing 'User-Password' with 'Cleartext-Password'. This is on the cards, but we have to allow for a transition period where legacy and new FR nodes reference a common database. We are subsequently using unlang to do the following before pap in the authorize section:
> if (!control:Cleartext-Password && control:User-Password) {
> update control {
> Cleartext-Password := "%{control:User-Password}"
Just do
Cleartext-Password := &control:User-Password
There's no need to expand it to a string, and then parse it back as a string.
Alan DeKok.
More information about the Freeradius-Users
mailing list