Can we re-order the authorization queries in the SQL module?

James Fan polysorb at gmail.com
Thu Nov 23 02:40:31 UTC 2023


Hi Alan and Gerald,
Thanks for your answer.
My problem was if I set a user attribute name "vlan_id" which is stored in
the radreply table and the radgroupreply table. But they have different
values.
The client will receive the value for the "vlan_id" in the radgroupreply.
But we want to make the radreply attributes a higher priority to overwrite
the radgroupreply values for the same attribute.
After studying the SQL module, I found a solution that uses
multiple instances to separate the queries like below:

sql sql-group {
  # Do group reply queries
}
sql sql-user-reply {
  # Do user reply queries
}

So we can run these modules using this order:
sql-group-reply.authorize
sql-user-reply.authorize

That makes the user attributes overwrite the group attributes and resolves
our problem.
I wonder if that is the best solution or if you have any good ideas. Thanks.


On Wed, Nov 22, 2023 at 9:21 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Nov 22, 2023, at 12:57 AM, James Fan <polysorb at gmail.com> wrote:
> >
> > We have a case that needs to prioritize the group reply attributes more
> > than the user reply attributes in the same attribute. However, I found a
> > fixed order for the authorization queries in the source code as below.
> > radcheck -> radreply -> radgroupcheck -> radgroupreply
> > If I change the orders in queries.conf, the query order is not changed
> > while authorizing.
>
>   Yes... the order of the queries is controlled by the source code, not by
> their location in the files.
>
> > So I wonder if we can re-order the authorization queries by any
> > configuration to make higher priority for the group reply? Thanks.
>
>   Why not use the operators?  Make the group replies use ":=", and it will
> over-ride whatever is set in the user profile.
>
>   Or, describe the problem in more detail.  What would you like to do, and
> why does the current behavior not work?
>
>   Don't say "I need to change the order of the queries".  That's a
> solution.  Describe what you want the server to do at a high level.
>
>   We can then offer a solution which doesn't involve changing query order
> or source code.
>
>   i.e. "I need to make my car waterproof" is a solution.  The real problem
> might be "I want to fill the pool with water".
>
>   The real solution is a garden hose, not transporting water in the car.
> The same thing applies here.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list