Re: doc/rlm_sql is wrong?
This is a discussion on Re: doc/rlm_sql is wrong? within the FreeRADIUS Users forums, part of the Networking and Network Related category; Peter Nixon wrote: >> The code in rlm_sql.c definitely does not do that, at least in 1.1....
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-08-2007
|
|||
|
|||
Re: doc/rlm_sql is wrong?
Peter Nixon wrote:
>> The code in rlm_sql.c definitely does not do that, at least in 1.1.3 as >> far as I can understand the code? Instead it appears to smoosh the user >> and all the group check items together, compares them, and if they *all* >> match adds *all* the reply items. >> >> This seems to make groups pretty useless except for using the SQL-Group >> construct in the users file. >> >> Comments? > > I believe you are correct. It's been a while since I looked at the SQL Groups > functionality, but last time I did I quickly decided to do the processing I > required from my own table structure with an SQL function. That way you get > _exactly_ what you want at the cost of having to think about a schema that > fits your need. Works pretty well for us :-) > > Someone really needs to take a knife the the SQL Groups code.. But, there you > have it. Feel free to help out any time you want :-) Actually, having just done a "cvs up"the CVS code appears to do things "the right way", and is generally a lot cleaner; none of the query_table config options for example, and a much cleaner iteration logic for groups. From what I can tell a straight swap of the src/modules/rlm_sql directory would have a reasonable chance of working - I might try that. The specific driver for this was wanting a NIS netgroup-style group membership table, i.e.: create table groups ( id serial, precedence integer not null default 0, username text, callingstationid text, groupname text not null, primary key (id) ); insert into groups (precedence,username,callingstationid,groupname) -- ban joe on all hosts ....values (10, 'joe', null, 'BANNED'); -- ban this MAC for all users ....values (10, null, '00:11:22:33:44:55', 'BANNED'); -- permit this guest from their laptop only ....values (5, 'guest', 'aa:bb:cc:dd:ee:ff', 'OK'); ....values (4, 'guest', null, 'BANNED'); ....then set the "group membership" query to: select distinct groupname from ( select * from groups where username='%{SQL-User-Name}' or callingstationid='%{Calling-Station-Id}' order by precedence,groupname ) as groups ....which would allow you to e.g. put MAC addresses into BANNED groups, users into BANNED groups, but maybe permit a user to login from certain specific machines, by manipulating the precedence correctly. If someone isn't already working on it I'll have a crack at backporting the CVS SQL code. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
|
Linear Mode
