Re: read_groups in cvs
On the todo list for Monday, if additional debug output is needed.
I wouldn't have asked for it if I didn't need it...
debug radiusd -X
rad_recv: Access-Request packet from host 10.0.0.11 port 1145, id=104, length=56
User-Name = [EMAIL PROTECTED]
User-Password =
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
rlm_realm: Looking up realm illicom.net for User-Name = [EMAIL
PROTECTED]
rlm_realm: Found realm illicom.net
rlm_realm: Adding Stripped-User-Name = dcox
rlm_realm: Proxying request from user dcox to realm illicom.net
rlm_realm: Adding Realm = illicom.net
rlm_realm: Authentication realm is LOCAL.
rlm_realm: Request already proxied. Ignoring.
radius_xlat: 'dcox'
radius_xlat: 'dcox'
rlm_sql (sql): sql_set_user escaped user -- 'dcox'
rlm_sql (sql): Reserving sql socket id: 7
radius_xlat: 'select id, username, attribute, value, op
from radcheck
where username = 'dcox' order by id'
rlm_sql (sql): User found in radcheck table
radius_xlat: 'select id, username, attribute, value, op
from radreply where username = 'dcox'
order by id'
rlm_sql (sql): Released sql socket id: 7
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type pap
auth: type PAP
Processing the authenticate section of radiusd.conf
modcall: entering group PAP for request 1
rlm_pap: login attempt with password eldon
rlm_pap: Using clear text password.
rlm_pap: User authenticated succesfully
modcall: group PAP returns ok for request 1
Login OK: [EMAIL PROTECTED] (from client webclient port 0)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 1
rlm_sql (sql): Processing sql_postauth
radius_xlat: 'dcox'
rlm_sql (sql): sql_set_user escaped user -- 'dcox'
radius_xlat: Running registered xlat function of module config for string
'client[%{Packet-Src-IP-Address}].shortname'
radius_xlat: 'client[10.0.0.11]'
radius_xlat: 'exec radpostauth '[EMAIL PROTECTED]',
'XXX','Access-Accept',
'10.0.0.11','','',
'',
'', '','webclient''
rlm_sql (sql) in sql_postauth: query is exec radpostauth '[EMAIL PROTECTED]',
'XXX',
'Access-Accept','10.0.0.11',
'','',
'', '',
'','webclient'
rlm_sql (sql): Reserving sql socket id: 6
rlm_sql (sql): Released sql socket id: 6
modcall: group post-auth returns ok for request 1
Sending Access-Accept of id 104 to 10.0.0.11 port 1145
Service-Type = Authenticate-Only
Session-Timeout = 86400
Finished request 1
Going to the next request
But I am using a recent (-7 days ago) cvs checkout of 2.0.0pre0
I don't have any debug output right now, but it's rather obvious to
me that the server doesn't process the radcheckgroup /
radreplygroup in rlm_sql unless the fall-through = yes is found in
the radreply for the user, which contradicts the docs (3d) as
posted below.
That's all well and good, but I need the debug output to see *what*
the server is doing for/to you and *why* its doing it, especially if
you want *me* to fix it...
Meanwhile, I have set the fall-through = yes during the radreply
for now to get it to process the groups...
Make sure your debug output is *without* having Fall-Through set in
radreply.
done as requested.
--Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: read_groups in cvs
What version of the server are you using and do you have any debug output? --Mike On Aug 7, 2006, at 8:28 AM, Duane Cox wrote: reposting I've got mssql.conf read_groups = yes but the rlm_sql module does not process the groups. The user is found in radcheck and the check items (password) does match... and I do NOT have Fall-Through = yes in the radreply ... as per docs... (3d) 3. Group processing then begins if any of the following conditions are met: a. The user IS NOT found in radcheck b. The user IS found in radcheck, but the check items don't match c. The user IS found in radcheck, the check items DO match AND Fall-Through is set in the radreply table d. The user IS found in radcheck, the check items DO match AND the read_groups directive is set to 'yes' Am I doing something wrong here? If I have Fall-Through = yes then everything works as per docs (3c) But 3d does not say that Fall-Through has to be yes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autoreply: Re: read_groups in cvs
Attualmente non sono in sede. Per richieste urgenti contattare lo 800 919299 o inviare una mail a [EMAIL PROTECTED] oppure a [EMAIL PROTECTED] Cordiali Saluti Giuseppe Parlato Area Network mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: read_groups in cvs
You are right, but is that right?? I dont' see that anywhere in the docs, that behaviour doesn't make sense... Duane Cox - Original Message - From: Dennis Skinner [EMAIL PROTECTED] To: Duane Cox [EMAIL PROTECTED]; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, August 07, 2006 2:17 PM Subject: Re: read_groups in cvs Duane Cox wrote: reposting I've got mssql.conf read_groups = yes but the rlm_sql module does not process the groups. My own testing found that the usergroup table would not be used unless the SQL-Group attribute is found. I set it in the huntgroups file myself, but you should be able to do it in the radcheck table. As a test, set SQL-Group in the users table and run the server in debugging mode. You will see where it is trying to do the lookup. I found this in the server docs, so it is there. I just don't recall where I read it. I did find the part that you quoted misleading though... -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: read_groups in cvs
Please don't top post. It makes it hard to respond and have it make sense Duane Cox wrote: Dennis Skinner wrote: My own testing found that the usergroup table would not be used unless the SQL-Group attribute is found. I set it in the huntgroups file myself, but you should be able to do it in the radcheck table. As a test, set SQL-Group in the users table and run the server in debugging mode. You will see where it is trying to do the lookup. I found this in the server docs, so it is there. I just don't recall where I read it. I did find the part that you quoted misleading though... You are right, but is that right?? I dont' see that anywhere in the docs, that behaviour doesn't make sense... Just pretend you didn't read the docs about groups that you quoted and it makes sense :) I don't recall where I read the part that led me to that solution. It may have been in the wiki, but I can't get to it now to check. Wiki down again?? My requests time out. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: read_groups in cvs
Duane Cox [EMAIL PROTECTED] wrote: I've got mssql.conf read_groups = yes but the rlm_sql module does not process the groups. Honestly, I don't use that, and haven't even looked at it. I'd suggest looking at the source to see what's going on. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: read_groups in cvs
Duane Cox wrote: reposting I've got mssql.conf read_groups = yes but the rlm_sql module does not process the groups. My own testing found that the usergroup table would not be used unless the SQL-Group attribute is found. I set it in the huntgroups file myself, but you should be able to do it in the radcheck table. As a test, set SQL-Group in the users table and run the server in debugging mode. You will see where it is trying to do the lookup. I found this in the server docs, so it is there. I just don't recall where I read it. I did find the part that you quoted misleading though... -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
read_groups in cvs
I've got mssql.conf read_groups = yes but the rlm_sql module does not process the groups. The user is found in radcheck and the check items (password) does match... and I do NOT have Fall-Through = yes in the radreply ... as per docs... (3d) 3. Group processing then begins if any of the following conditions are met: a. The user IS NOT found in radcheck b. The user IS found in radcheck, but the check items don't match c. The user IS found in radcheck, the check items DO match AND Fall-Through is set in the radreply table d. The user IS found in radcheck, the check items DO match AND the read_groups directive is set to 'yes' Am I doing something wrong here? If I have Fall-Through = yes then everything works as per docs (3c) But 3d does not say that Fall-Through has to be yes Alan? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
