Alan DeKok wrote:
> If you want only one or the other, you'll have to set the
> configurable fail-over sections of the module. See the 'doc'
> directory for more information.
I'm sorry - must have overlooked that documentation file. It took
me a couple of times of reading but finally I understood enough to
make my imagination become configuration file lines. For everybody who
wishes to do the same as I (which is authenticating a user both
by MySQL and the users file) then this is for you:
authorize {
preprocess
suffix
group {
files {
notfound = 1
noop = 2
ok = return
updated = 4
fail = return
reject = return
userlock = return
invalid = return
handled = return
}
sql {
notfound = 1
noop = 2
ok = return
updated = 4
fail = return
reject = return
userlock = return
invalid = return
handled = return
}
}
}
I'm not quite sure what "noop" or "fail" or "userlock" is as it was not
commented properly in the modules for MySQL and users authentication either.
But
"ok" stands for Access-Accept and "reject" is for Access-Reject. So as I
want to process the sources (MySQL and users) until any of them has
decided on an accept or reject response, this one does it.
I first mixed it with "redundant". Using that directive
FreeRADIUS assumes to have really redundant data (the "same" data)
in all sources. But that's not what I wanted to do. Maybe
"append" does it but it's not documented. So I have to stick to this.
> Yes. They over-write the ones set by the 'users' file.
So FreeRADIUS by default collects all attributes from the sources
to form a reply? Interesting.
> How do you know that the attributes are from MySQL, and not from the
> 'users' file?
During my tests I set a reponse item Reply-Message to "This is MySQL"
and "This is the users file" to find out which one matched.
> We also need to apply the patch to the SQL module, which allows the
> use of operators in the SQL configuration. I have a patch sitting
> around, but it's old, and won't apply to the current version.
What does that curious patch do?
Thank you for your reply. Awkward enough to find that in the docs.
At least it works now and I understand much more than I ever wanted. ;)
Christoph
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
