rlm_sql functionality
Hi, I am trying to do something with rlm_sql (driver: mysql) that does not seem to work as stated in the documentation. Consider this database: mysql select * from radcheck; | id | UserName | Attribute | op | Value | | 1 | nar2 | Password | == | test | mysql select * from radreply; | id | UserName | Attribute| op | Value | | 1 | nar2 | Fall-Through | = | Yes | mysql select * from usergroup; | id | UserName | GroupName | priority | | 1 | nar2 | core-en |2 | | 2 | nar2 | access-en |1 | mysql select * from radgroupcheck; | id | GroupName | Attribute | op | Value| | 1 | core-en | NAS-IP-Address | == | 10.1.1.1 | | 2 | access-en | NAS-IP-Address | == | 10.2.1.1 | mysql select * from radgroupreply; | id | GroupName | Attribute | op | Value | prio | | 1 | core-en | Reply-Message | = | Core |1 | | 2 | access-en | Reply-Message | = | Access |1 | The sql.conf is unchanged from the default, except that the server connects to a database on a remote host. The idea is that when nar2 tries to login on the two different NAS'es, the authorization would become different. What happens with this setup is that a request from 10.2.1.1 is rejected even if the user supplies the right password. I then reversed the order of records in radgroupcheck. What happened was that the requests coming from 10.1.1.1 was rejected. (The NAS-IP-Address that matches the group with the lowest id was accepted, and the other rejected.) Also, even if I did that, the reply-items from the group with the lowest id in radgroupreply was returned, as long as the user and group are coupled in usergroup. I have been playing along with this for a while and I can't see that this makes sense in any way. I have also changed the ordering in radgroupreply and tried different priority's. The questions remaining are: 1. Can I populate the database differently so that the server does what I want? 2. Is there a way to rewrite the queries in sql.conf so the server does what I want? 3. Am I completely missing the point of having groups i RADIUS? What I want from rlm_sql is (this should probably be a bit refined): 1. check if user check-items match, add the reply-items. 2. if they match, check each usergroup coupling, if there are any. 3. a. if the check-items of the group match, add the reply-items from radgroupreply. b. if the check-items of the group do not match, skip to next group, but do not reject unless no groups match, or a group explictly says so. 4. if no group matches then Reject. -- best regards Nils Rønhovde - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realmbased Relaying
On Thu, 18 Nov 2004 16:12:51 +0200 (EET) Kostas Kalevras [EMAIL PROTECTED] wrote: On Wed, 17 Nov 2004, jesk wrote: Hello again, i have question about Relaying Accounting Data. We have a customer, which want to have all related accounting data of his realm. Is there a way to relay the accounting data of his realm to his radiusserver? i thought about creating a seperate detail logfile and then setting up a seperate radrelay which works on the file and relay the data to him. Are there other kinds of solution to solve this scenario? When not, how can i create a seperate logfile with only his realm related data in it? radrelay is the solution. As for a detail file, either use Acct-Type like: Just curious, what's wrong with using the proxy feature in the server? That way you can still do local processing (or nothing) while the customer gets the accounting data almoust uninterrupted. And you don't have to rely on a second application, or that your server writes accounting correctly. The setup is simpler too. -- best regards Nils Rønhovde Telenor Networks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Memory leak in rlm_perl
On Mon, 25 Oct 2004 10:27:14 +0200 Nils Rønhovde [EMAIL PROTECTED] wrote: On Tue, 14 Sep 2004 13:29:23 -0400 Alan DeKok [EMAIL PROTECTED] wrote: =?ISO-8859-1?Q?Jo=E3o_S=E1?= [EMAIL PROTECTED] wrote: Until now everything is fine but now I need to use a module in perl to do credit control. I verified that when I start, the freeradius process begins with about 26 Mb in memory growing until I eat all memory available (I already had a process with 400 Mb). The Perl module has issues in 0.9.3. There's a patch for 1.0.0 on bugs.freeradius.org, which will go into 1.1.0. Alan DeKok. Forgive me for asking a maybe stupid question (or request). I have tried to apply the patch for bug 111 found on bugs.freeradius.org (after some careful editing of html-tags etc.), but patch fails after some hunks. I am not very experienced in using patch, so it may be my problem. After a few hours more, and some lunch, I figured it out. Don't ask me how, though.. BTW is it tested and found OK? This still applies... -- best regards Nils Rønhovde - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: command-line option -p to radiusd not working
On Wed, 11 Aug 2004 11:15:37 +0100 [EMAIL PROTECTED] wrote: ** Reply to note from Nils =?ISO-8859-1?Q?R=F8nhovde?= [EMAIL PROTECTED] Wed, 11 Aug 2004 07:31:44 +0200 Hello, I am a bit puzzled that radiusd says Ignoring deprecated command-line option -p while usage() says: -p port Bind to 'port', and not to the radius/udp, or 1646/udp. I must admit that I haven't read the list thoroughly for the last year or so, so can I have missed a discussion whether the -p option should work or not? Is there a reason why -p should not work? It's no longer implemented. That's obvious. I'm interested in why the feature is removed, and what my alternatives to using it may be. Instead, you can set the port to be used in radiusd.conf. I want to override that (which, incidentally, radiusd.conf still states is possible), e.g. for testing purposes or the use of check-radiusd-config. -- best regards Nils Rønhovde Telenor Networks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
command-line option -p to radiusd not working
Hello, I am a bit puzzled that radiusd says Ignoring deprecated command-line option -p while usage() says: -p port Bind to 'port', and not to the radius/udp, or 1646/udp. I must admit that I haven't read the list thoroughly for the last year or so, so can I have missed a discussion whether the -p option should work or not? Is there a reason why -p should not work? Or why isn't usage() or the check-radiusd-config updated accordingly? -- best regards Nils Rønhovde Telenor Networks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html