could anybody explain me what exactly FR does with group checks working with SQL (Oracle in my case) ?
I see group_membership_query in sql.conf, but i do not see that FR uses it in debug:
rad_recv: Access-Request packet from host 127.0.0.1:50893, id=174, length=78
User-Name = "[EMAIL PROTECTED]"
User-Password = "blahblah"
Calling-Station-Id = "250097000002749"
Framed-Protocol = PPP
Service-Type = Framed-User
NAS-IP-Address = 212.119.97.86
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 29
modcall[authorize]: module "preprocess" returns ok for request 29
modcall[authorize]: module "chap" returns noop for request 29
rlm_realm: Looking up realm "c" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "c"
rlm_realm: Proxying request from user a to realm c
rlm_realm: Adding Realm = "c"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 29
users: Matched DEFAULT at 73
modcall[authorize]: module "files" returns ok for request 29
WARNING: Attempt to use unknown xlat function, or non-existent attribute in string %{DEFAULT}
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE (usergroup.Username = '[EMAIL PROTECTED]' or usergroup.CLID = '250097000002749') AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id'
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE (usergroup.Username = '[EMAIL PROTECTED]' OR usergroup.CLID = '250097000002749') AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): No matching entry in the database for request from user [EMAIL PROTECTED]
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module "sql" returns notfound for request 29
modcall[authorize]: module "mschap" returns noop for request 29
modcall: group authorize returns ok for request 29
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Second - what exactly will FR do if authorize_group_check_query returns several groups' membership for the user (i've slightly modified query and usergroup table to check CLID also):
SQL> SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value, radgroupcheck.op FROM radgroupcheck, usergroup WHERE (usergroup.Username = '[EMAIL PROTECTED]' or usergroup.CLID = '250097000002749') AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id;
ID GROUPNAME ATTRIBUTE VALUE OP 10 carta Realm c == 11 carta NAS-IP-Address 212.119.117.1 == 19 blackholed Auth-Type Reject :=
In my case user is accepted though he is a member of blackholed group with Auth-Type - Reject.
-- Sincerely Yours, Alexander Serkin, Skylink, Moscow
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
