Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10
Hello,
Never played around with groups using rlm_sql and the default schema..
I am reading what i assume is saying that it should be possible to have several
groups to a account and each group should be able to supply that specific
groups radgroupreply attributes..
Number 4 below sure sounds like it should get all the accounts groups first and
then process them according to priority? Below test shows it only reads the
first group? And no matter what priority..
Is that how it should work or what am i missing here?
1.Search the radcheck table for any check attributes specific to the user
2.If check attributes are found, and there's a match, pull the reply items from
the radreply table for this user and add them to the reply
3.Group processing then begins if any of the following conditions are met:
◦The user IS NOT found in radcheck
◦The user IS found in radcheck, but the check items don't match
◦The user IS found in radcheck, the check items DO match AND Fall-Through is
set in the radreply table
◦The user IS found in radcheck, the check items DO match AND the read_groups
directive is set to 'yes'
4.If groups are to be processed for this user, the first thing that is done is
the list of groups this user is a member of is pulled from the usergroup table
ordered by the priority field. The priority field of the usergroup table allows
us to control the order in which groups are processed, so that we can emulate
the ordering in the users file. This can be important in many cases.
5.For each group this user is a member of, the corresponding check items are
pulled from radgroupcheck table and compared with the request. If there is a
match, the reply items for this group are pulled from the radgroupreply table
and applied.
6.Processing continues to the next group IF:
◦There was not a match for the last group's check items OR
◦Fall-Through was set in the last group's reply items (The above is exactly the
same as in the users file)
7.Finally, if the user has a User-Profile attribute set or the Default Profile
option is set in the sql.conf, then steps 4-6 are repeated for the groups that
the profile is a member of.
To test it i added som data to
mysql select * from radcheck;
++--+---++---+
| id | username | attribute | op | value |
++--+---++---+
| 8 | alex | Password | := | test |
++--+---++---+
mysql select * from radusergroup;
+--+--+--+
| username | groupname| priority |
+--+--+--+
| alex | mega-admin-group |0 |
| alex | cisco_admin |1 |
+--+--+--+
mysql select * from radgroupreply;
++--+++--+
| id | groupname| attribute | op | value
|
++--+++--+
| 1 | mega-admin-group | Reply-Message | = | test-mega-admin-reply-attribute
|
| 2 | mega-admin-group | NAS-Identifier | = | test-NAS
|
| 3 | cisco_admin | Service-Type | = | NAS-Prompt-User
|
| 4 | cisco_admin | cisco-avpair | = | shell:priv-lvl=15
|
++--+++--+
5 rows in set (0.00 sec)
root@noc1:/etc/freeradius# radtest -x alex test localhost 1812 testing123
Sending Access-Request of id 69 to 127.0.0.1 port 1812
User-Name = alex
User-Password = test
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=69, length=63
Reply-Message = test-mega-admin-reply-attribute
NAS-Identifier = test-NAS -- Only replies from
group mega-admin-group
And freeradius debug is showing it only checked replies from the first group..
rad_recv: Access-Request packet from host 127.0.0.1 port 49061, id=3, length=56
User-Name = alex
User-Password = test
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
rlm_perl: rlm_perl::Itux DEBUG::Inside authorize Function.
rlm_perl: Added pair User-Name = alex
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair NAS-Port = 1812
rlm_perl: Added pair NAS-IP-Address = 10.173.2.10
++[perl] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = alex, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[sql] expand: %{User-Name} - alex
[sql] sql_set_user escaped user -- 'alex'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
SV: Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10
Sorry forget about priority i thought higher was first..Which it wasn’t.. Still
is it possible to get replies from multiple groups an account belongs to?
Cheers
Alex
Från:
freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org
[mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org]
För Alexander Silveröhrt
Skickat: den 12 april 2013 09:33
Till: freeradius-users@lists.freeradius.org
Ämne: Group questions..several group memberships to one account. FreeRADIUS
Version 2.1.10
Hello,
Never played around with groups using rlm_sql and the default schema..
I am reading what i assume is saying that it should be possible to have several
groups to a account and each group should be able to supply that specific
groups radgroupreply attributes..
Number 4 below sure sounds like it should get all the accounts groups first and
then process them according to priority? Below test shows it only reads the
first group? And no matter what priority..
Is that how it should work or what am i missing here?
1.Search the radcheck table for any check attributes specific to the user
2.If check attributes are found, and there's a match, pull the reply items from
the radreply table for this user and add them to the reply
3.Group processing then begins if any of the following conditions are met:
◦The user IS NOT found in radcheck
◦The user IS found in radcheck, but the check items don't match
◦The user IS found in radcheck, the check items DO match AND Fall-Through is
set in the radreply table
◦The user IS found in radcheck, the check items DO match AND the read_groups
directive is set to 'yes'
4.If groups are to be processed for this user, the first thing that is done is
the list of groups this user is a member of is pulled from the usergroup table
ordered by the priority field. The priority field of the usergroup table allows
us to control the order in which groups are processed, so that we can emulate
the ordering in the users file. This can be important in many cases.
5.For each group this user is a member of, the corresponding check items are
pulled from radgroupcheck table and compared with the request. If there is a
match, the reply items for this group are pulled from the radgroupreply table
and applied.
6.Processing continues to the next group IF:
◦There was not a match for the last group's check items OR
◦Fall-Through was set in the last group's reply items (The above is exactly the
same as in the users file)
7.Finally, if the user has a User-Profile attribute set or the Default Profile
option is set in the sql.conf, then steps 4-6 are repeated for the groups that
the profile is a member of.
To test it i added som data to
mysql select * from radcheck;
++--+---++---+
| id | username | attribute | op | value |
++--+---++---+
| 8 | alex | Password | := | test |
++--+---++---+
mysql select * from radusergroup;
+--+--+--+
| username | groupname| priority |
+--+--+--+
| alex | mega-admin-group |0 |
| alex | cisco_admin |1 |
+--+--+--+
mysql select * from radgroupreply;
++--+++--+
| id | groupname| attribute | op | value
|
++--+++--+
| 1 | mega-admin-group | Reply-Message | = | test-mega-admin-reply-attribute
|
| 2 | mega-admin-group | NAS-Identifier | = | test-NAS
|
| 3 | cisco_admin | Service-Type | = | NAS-Prompt-User
|
| 4 | cisco_admin | cisco-avpair | = | shell:priv-lvl=15
|
++--+++--+
5 rows in set (0.00 sec)
root@noc1:/etc/freeradius# radtest -x alex test localhost 1812 testing123
Sending Access-Request of id 69 to 127.0.0.1 port 1812
User-Name = alex
User-Password = test
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=69, length=63
Reply-Message = test-mega-admin-reply-attribute
NAS-Identifier = test-NAS -- Only replies from
group mega-admin-group
And freeradius debug is showing it only checked replies from the first group..
rad_recv: Access-Request packet from host 127.0.0.1 port 49061, id=3, length=56
User-Name = alex
User-Password = test
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
rlm_perl: rlm_perl::Itux DEBUG::Inside authorize Function.
rlm_perl: Added pair User-Name = alex
SV: Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10
And sorry again… I forgot old Fall-Through= yes which of course made it work.. I thank myself for my excellent answers☺ Cheers Alex Från: freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org [mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org] För Alexander Silveröhrt Skickat: den 12 april 2013 09:41 Till: FreeRadius users mailing list Ämne: SV: Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10 Sorry forget about priority i thought higher was first..Which it wasn’t.. Still is it possible to get replies from multiple groups an account belongs to? Cheers Alex Från: freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org [mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org] För Alexander Silveröhrt Skickat: den 12 april 2013 09:33 Till: freeradius-users@lists.freeradius.org Ämne: Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10 Hello, Never played around with groups using rlm_sql and the default schema.. I am reading what i assume is saying that it should be possible to have several groups to a account and each group should be able to supply that specific groups radgroupreply attributes.. Number 4 below sure sounds like it should get all the accounts groups first and then process them according to priority? Below test shows it only reads the first group? And no matter what priority.. Is that how it should work or what am i missing here? 1.Search the radcheck table for any check attributes specific to the user 2.If check attributes are found, and there's a match, pull the reply items from the radreply table for this user and add them to the reply 3.Group processing then begins if any of the following conditions are met: ◦The user IS NOT found in radcheck ◦The user IS found in radcheck, but the check items don't match ◦The user IS found in radcheck, the check items DO match AND Fall-Through is set in the radreply table ◦The user IS found in radcheck, the check items DO match AND the read_groups directive is set to 'yes' 4.If groups are to be processed for this user, the first thing that is done is the list of groups this user is a member of is pulled from the usergroup table ordered by the priority field. The priority field of the usergroup table allows us to control the order in which groups are processed, so that we can emulate the ordering in the users file. This can be important in many cases. 5.For each group this user is a member of, the corresponding check items are pulled from radgroupcheck table and compared with the request. If there is a match, the reply items for this group are pulled from the radgroupreply table and applied. 6.Processing continues to the next group IF: ◦There was not a match for the last group's check items OR ◦Fall-Through was set in the last group's reply items (The above is exactly the same as in the users file) 7.Finally, if the user has a User-Profile attribute set or the Default Profile option is set in the sql.conf, then steps 4-6 are repeated for the groups that the profile is a member of. To test it i added som data to mysql select * from radcheck; ++--+---++---+ | id | username | attribute | op | value | ++--+---++---+ | 8 | alex | Password | := | test | ++--+---++---+ mysql select * from radusergroup; +--+--+--+ | username | groupname| priority | +--+--+--+ | alex | mega-admin-group |0 | | alex | cisco_admin |1 | +--+--+--+ mysql select * from radgroupreply; ++--+++--+ | id | groupname| attribute | op | value | ++--+++--+ | 1 | mega-admin-group | Reply-Message | = | test-mega-admin-reply-attribute | | 2 | mega-admin-group | NAS-Identifier | = | test-NAS | | 3 | cisco_admin | Service-Type | = | NAS-Prompt-User | | 4 | cisco_admin | cisco-avpair | = | shell:priv-lvl=15 | ++--+++--+ 5 rows in set (0.00 sec) root@noc1:/etc/freeradius# radtest -x alex test localhost 1812 testing123 Sending Access-Request of id 69 to 127.0.0.1 port 1812 User-Name = alex User-Password = test NAS-IP-Address = 10.173.2.10 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=69, length=63 Reply-Message = test-mega-admin-reply-attribute NAS-Identifier = test-NAS -- Only replies from group mega-admin-group
