I have managed to get MySQL to work for FreeRADIUS (thanks to
the web page at http://www.frontios.com/freeradius.html) but have
by now wasted hours while trying to get an answer to the question:
In which order are requests accepted or denied when using MySQL
*and* the 'users' file?
I thought the order of recognizing a valid user entry would depend
on the order in which the words "files" (for the 'users' file)
and "sql" (for requests to the MySQL database) are mentioned
in the 'authorize' section of the main configuration file "radiusd.conf".
Wrong? When running the radiusd using debug flags ("radiusd -Axxy")
I can see that my request (using "radtest") is serviced in the order
which *is* actually given by the above order.
However when I create an entry for a user with equal attributes
both in the MySQL database and in the 'users' file then the results
are irritating. Let's say I set the order: files/sql. I can see
the user being matched by the 'users' file. The log file reads:
users: Matched testuser at 48
modcall[authorize]: module "files" returns ok
Then the SQL section also matches:
modcall[authorize]: module "sql" returns ok
What I get in return are the Reply-Items stored in the MySQL
database. Hmmm... I'd expected to get the first positive match
which would be "files" instead of "sql" as I was not using any
Fall-Through flags here.
Now let's put it vice versa in the order sql/files. First the
SQL module says:
modcall[authorize]: module "sql" returns ok
Then the 'users' file leads to:
users: Matched testuser at 48
So far I would say that if two entries match then the latter is
taken. But what actually happens is that FreeRADIUS replies the
*MySQL reply items* to me!
Now what? If MySQL and the 'users' file are both used and at least
the MySQL entry matches then the MySQL Reply-Items have priority?
I am very confused and do not dare to use this configuration in our
setup of app. 100 users. Maybe someone can enlighten me? I'm very
bad in reading source code.
BTW, I find freeradius being much better than some commercial
servers which should cost about $5000. Keep up the good work and
*please* write better documentation to prevent the madhouses from
filling. ;)
Christoph
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
