Peter Nixon wrote:
The code in rlm_sql.c definitely does not do that, at least in 1.1.3 as
far as I can understand the code? Instead it appears to smoosh the user
and all the group check items together, compares them, and if they *all*
match adds *all* the reply items.
This seems to make groups pretty useless except for using the SQL-Group
construct in the users file.
Comments?
I believe you are correct. It's been a while since I looked at the SQL Groups
functionality, but last time I did I quickly decided to do the processing I
required from my own table structure with an SQL function. That way you get
_exactly_ what you want at the cost of having to think about a schema that
fits your need. Works pretty well for us :-)
Someone really needs to take a knife the the SQL Groups code.. But, there you
have it. Feel free to help out any time you want :-)
Actually, having just done a "cvs up"the CVS code appears to do things
"the right way", and is generally a lot cleaner; none of the query_table
config options for example, and a much cleaner iteration logic for groups.
From what I can tell a straight swap of the src/modules/rlm_sql
directory would have a reasonable chance of working - I might try that.
The specific driver for this was wanting a NIS netgroup-style group
membership table, i.e.:
create table groups (
id serial,
precedence integer not null default 0,
username text,
callingstationid text,
groupname text not null,
primary key (id)
);
insert into groups (precedence,username,callingstationid,groupname)
-- ban joe on all hosts
...values (10, 'joe', null, 'BANNED');
-- ban this MAC for all users
...values (10, null, '00:11:22:33:44:55', 'BANNED');
-- permit this guest from their laptop only
...values (5, 'guest', 'aa:bb:cc:dd:ee:ff', 'OK');
...values (4, 'guest', null, 'BANNED');
...then set the "group membership" query to:
select distinct groupname from (
select * from groups where
username='%{SQL-User-Name}'
or
callingstationid='%{Calling-Station-Id}'
order by precedence,groupname
) as groups
...which would allow you to e.g. put MAC addresses into BANNED groups,
users into BANNED groups, but maybe permit a user to login from certain
specific machines, by manipulating the precedence correctly.
If someone isn't already working on it I'll have a crack at backporting
the CVS SQL code.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html