Hello,
Never played around with groups using rlm_sql and the default schema..
I am reading what i assume is saying that it should be possible to have several
groups to a account and each group should be able to supply that specific
groups radgroupreply attributes..
Number 4 below sure sounds like it should get all the accounts groups first and
then process them according to priority? Below test shows it only reads the
first group? And no matter what priority..
Is that how it should work or what am i missing here?
1.Search the radcheck table for any check attributes specific to the user
2.If check attributes are found, and there's a match, pull the reply items from
the radreply table for this user and add them to the reply
3.Group processing then begins if any of the following conditions are met:
◦The user IS NOT found in radcheck
◦The user IS found in radcheck, but the check items don't match
◦The user IS found in radcheck, the check items DO match AND Fall-Through is
set in the radreply table
◦The user IS found in radcheck, the check items DO match AND the read_groups
directive is set to 'yes'
4.If groups are to be processed for this user, the first thing that is done is
the list of groups this user is a member of is pulled from the usergroup table
ordered by the priority field. The priority field of the usergroup table allows
us to control the order in which groups are processed, so that we can emulate
the ordering in the users file. This can be important in many cases.
5.For each group this user is a member of, the corresponding check items are
pulled from radgroupcheck table and compared with the request. If there is a
match, the reply items for this group are pulled from the radgroupreply table
and applied.
6.Processing continues to the next group IF:
◦There was not a match for the last group's check items OR
◦Fall-Through was set in the last group's reply items (The above is exactly the
same as in the users file)
7.Finally, if the user has a User-Profile attribute set or the Default Profile
option is set in the sql.conf, then steps 4-6 are repeated for the groups that
the profile is a member of.
To test it i added som data to
mysql> select * from radcheck;
+----+----------+-----------+----+-------+
| id | username | attribute | op | value |
+----+----------+-----------+----+-------+
| 8 | alex | Password | := | test |
+----+----------+-----------+----+-------+
mysql> select * from radusergroup;
+----------+------------------+----------+
| username | groupname | priority |
+----------+------------------+----------+
| alex | mega-admin-group | 0 |
| alex | cisco_admin | 1 |
+----------+------------------+----------+
mysql> select * from radgroupreply;
+----+------------------+----------------+----+----------------------------------+
| id | groupname | attribute | op | value
|
+----+------------------+----------------+----+----------------------------------+
| 1 | mega-admin-group | Reply-Message | = | test-mega-admin-reply-attribute
|
| 2 | mega-admin-group | NAS-Identifier | = | test-NAS
|
| 3 | cisco_admin | Service-Type | = | NAS-Prompt-User
|
| 4 | cisco_admin | cisco-avpair | = | shell:priv-lvl=15
|
+----+------------------+----------------+----+----------------------------------+
5 rows in set (0.00 sec)
root@noc1:/etc/freeradius# radtest -x alex test localhost 1812 testing123
Sending Access-Request of id 69 to 127.0.0.1 port 1812
User-Name = "alex"
User-Password = "test"
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=69, length=63
Reply-Message = "test-mega-admin-reply-attribute"
NAS-Identifier = "test-NAS" < -- Only replies from
group mega-admin-group
And freeradius debug is showing it only checked replies from the first group..
rad_recv: Access-Request packet from host 127.0.0.1 port 49061, id=3, length=56
User-Name = "alex"
User-Password = "test"
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
rlm_perl: rlm_perl::Itux DEBUG::Inside authorize Function.
rlm_perl: Added pair User-Name = alex
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair NAS-Port = 1812
rlm_perl: Added pair NAS-IP-Address = 10.173.2.10
++[perl] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "alex", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[sql] expand: %{User-Name} -> alex
[sql] sql_set_user escaped user --> 'alex'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'alex' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'alex' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM radusergroup WHERE username = 'alex' ORDER BY
priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'mega-admin-group' ORDER BY
id
[sql] User found in group mega-admin-group
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'mega-admin-group' ORDER BY
id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "test"
[pap] Using clear text password "test"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [alex] (from client localhost port 1812)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 3 to 127.0.0.1 port 49061
Reply-Message = "test-mega-admin-reply-attribute"
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 10 ID 3 with timestamp +7141
Ready to process requests.
Thx
Alex
********* DISCLAIMER *********
This message and any attachment are confidential and may be privileged or
otherwise protected from disclosure and may include proprietary information. If
you are not the intended recipient, please telephone or email the sender and
delete this message and any attachment from your system. If you are not the
intended recipient you must not copy this message or attachment or disclose the
contents to any other person
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
