> xlat are placeholders in strings, usually used for substituting attribute
> values, for example:
>
> update reply {
> Reply-Message := "Hello %{User-Name}"
> }
>
> The %{User-Name} is an xlat expansion.
>
> The xlat expansion "%{md5:<text>}" expands to an md5 hash of <text>. So you
> have something like:
>
> if ("%{md5:%{User-Password}:%{Salt}}" == %{<database password>}) {
> update control {
> Auth-Type := 'Access-Accept'
> }
> }
>
> There's also an %{sql:<text>} xlat, which executes the <text> portion as a
> query and expands to the first column of the first row in the result set.
>
> In the above condition you could use the sql xlat in place of %{Salt} and
> %{<database password>} to retrieve the bits of info you need to authenticate
> the user, though it's a little inefficient as you have to query twice.
>
> There are ways to work around the limitations of sql xlat, for example you
> can CONCAT the values of two columns and then break them apart with a regex
> and capture groups. See man unlang.
>
> -Arran
Nice :)
I have added the follwing to my autorize section and it works:
if ("%{md5:%{User-Password}:<SALT>}" == "%{sql:SELECT radcheck.value
FROM `radcheck` WHERE radcheck.username ='%{User-Name}'}") {
update control {
Auth-Type := 'Accept'
}
}
else{
sql #to make sure that the sql module is loaded.
}
Is there a better war to solve the loading of the sql module?
If it do not include the else section, the %{sql:...} does not work. But if I
place it outside the else or when the user enters the wrong password the
database is queried twice.
Thanks for your help
- Rene
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
