Hi,
Look in te archives for subject: "anyone uses sql authorization with
radius". You find your answers in there.
bash
On Tue, 8 Jan 2002, Steve Sobol wrote:
> I'm currently using FreeRadius - just upgraded to 0.4 - to authenticate
> users with account info in /etc/passwd and /etc/shadow.
> Currently all I use is a default entry in /usr/local/etc/raddb/users.
>
> This works fine.
>
> However, I'm testing a setup where as much information as possible will go
> into a MySQL database. I'm also setting up LDAP
> for authentication, so I'm using an LDAP account to test... As you will
> see, this is not an LDAP issue...
>
> Here's the contents of the relevant fields out of my database
>
> [radcheck]
> +----+----------------------+-----------+-------+
> | id | UserName | Attribute | Value |
> +----+----------------------+-----------+-------+
> | 11 | [EMAIL PROTECTED] | Auth-Type | LDAP |
> +----+----------------------+-----------+-------+
>
> [usergroup]
> +----+----------------------+-----------+
> | id | UserName | GroupName |
> +----+----------------------+-----------+
> | 4 | [EMAIL PROTECTED] | ldap |
> +----+----------------------+-----------+
>
> [radgroupcheck]
> +----+-----------+-----------+-------+
> | id | GroupName | Attribute | Value |
> +----+-----------+-----------+-------+
> | 6 | ldap | Auth-Type | Ldap |
> +----+-----------+-----------+-------+
>
> [radgroupreply]
> +----+-----------+-------------------+-----------------+
> | id | GroupName | Attribute | Value |
> +----+-----------+-------------------+-----------------+
> | 10 | ldap | Idle-Timeout | 600 |
> | 9 | ldap | Port-Limit | 1 |
> | 13 | ldap | Service-Type | Framed-User |
> | 14 | ldap | Framed-Protocol | PPP |
> | 15 | ldap | Framed-IP-Address | 255.255.255.254 |
> | 20 | ldap | Framed-IP-Netmask | 255.255.255.255 |
> | 19 | ldap | Session-Timeout | 28800 |
> +----+-----------+-------------------+-----------------+
>
> Ok, first: If the account isn't in radcheck, usergroup doesn't get checked
> for the username.
> The next apparent step if the account isn't in radcheck is that the various
> tables are checked
> for DEFAULT - and this seems like a bug to me.
>
> Now... This is what happens when I try to dial in using sjs-ldap
>
> Thread 1 handling request 0, (1 handled so far)
> User-Name = "[EMAIL PROTECTED]"
> Password = "\352{\252\236M4\257}3KwZl\006\274["
> NAS-IP-Address = 64.24.224.229
> NAS-Port = 44
> NAS-Port-Type = Async
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Connect-Info = "16800 LAPM/V42BIS"
> Called-Station-Id = "4408560016"
> Calling-Station-Id = "4402098862"
> Proxy-State =
> 0x3c3b74724018e0e5040210007c1462fc83ad10f33842ef6c7294576d
> rad_lowerpair: User-Name now '[EMAIL PROTECTED]'
> rad_lowerpair: Password now 'myDialupPassword'
> rad_rmspace_pair: User-Name now '[EMAIL PROTECTED]'
> rad_rmspace_pair: Password now 'myDialupPassword'
> modcall: entering group authorize
> modcall[authorize]: module "preprocess" returns ok
> modcall[authorize]: module "suffix" returns ok
> rlm_sql: Reserving sql socket id: 4
> radius_xlat: '[EMAIL PROTECTED]'
> sql_escape in: '[EMAIL PROTECTED]'
> sql_escape out: '[EMAIL PROTECTED]'
> sql_set_user: escaped user --> '[EMAIL PROTECTED]'
> radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radcheck WHERE
> Username = '[EMAIL PROTECTED]' ORDER BY id'
> radius_xlat: 'SELECT
> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value
> FROM radgroupcheck,usergroup WHERE usergroup.Username =
> '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName
> ORDER BY radgroupcheck.id'
> radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radreply WHERE
> Username = '[EMAIL PROTECTED]' ORDER BY id'
> radius_xlat: 'SELECT
> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value
> FROM radgroupreply,usergroup WHERE usergroup.Username =
> '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName
> ORDER BY radgroupreply.id'
> rlm_sql: Released sql socket id: 4
> rlm_sql: Pairs do not match [[EMAIL PROTECTED]]
> modcall[authorize]: module "sql" returns notfound
> users: Matched DEFAULT at 2
> modcall[authorize]: module "files" returns ok
> modcall: group authorize returns ok
> rad_check_password: Found Auth-Type System
> auth: type "System"
> modcall: entering group authenticate
> modcall[authenticate]: module "unix" returns notfound
> modcall: group authenticate returns notfound
> auth: Failed to validate the user.
> Sending Access-Reject of id 109 to 216.126.128.8:1650
> Proxy-State =
> 0x3c3b74724018e0e5040210007c1462fc83ad10f33842ef6c7294576d
> Finished request 0
> Going to the next request
>
>
> Now, for some reason, enabling debugging on 0.4 doesn't print the results
> of the
> SQL queries. :( However, with 0.3, I'd see that the check and reply items
> were being retrieved correctly.
>
> Even so, and even though the reply pairs are what my dialup provider
> expects to see, I still
> get the "pairs do not match" message. rlm_sql fails, and control falls
> through to the users file, which only has one entry that specifies that the
> user is to be authenticated through the passwd
> file. This, of course, doesn't work. sjs-ldap doesn't exist in /etc/passwd,
> only in LDAP.
>
> I'm at a total loss - I can't figure out why this is happening. Help :(
>
> Thanks, S
>
>
> --
> JustThe.net LLC - Steve "Web Dude" Sobol, CTO ICQ: 56972932/WebDude216
> website: http://JustThe.net email: [EMAIL PROTECTED] phone: 216.619.2NET
> postal: 5686 Davis Drive, Mentor On The Lake, OH 44060-2752 DalNet: ZX-2
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
