----- Original Message ----- From: "Christoph Haas" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 17, 2001 9:48 AM Subject: SQL authentication with Auth-Type
> Hi all... > > has anyone yet managed to set an Auth-Type as a check item > in a MySQL database? For me no Auth-Type is working. I read > in some older posting that the 'users' file supports > an Auth-Type of 'sql'. But whenever I set an Auth-Type in > the 'radcheck' table used for authentication (e.g. 'Local' > or 'System') I receive an Access-Reject for no reason. > > I can even set Auth-Type to Local and it won't work. Just > removing the Auth-Type record it works (with the Password > entry alone). Is the 'users' file my destiny? Is the SQL > authentication just not powerful enough to even support > UNIX authentication? > > I'm sure there is a very simple solution. ;) >From reading on the list I believe this to be a problem that will be solved when the SQL tables begin to support operators. Currently the tables only use the '==' operator and in that case you can only match attributes that are sent. The easiest way for me to finally grasp what is actually going on in the background is to break it into the separate processes 'Authorize' and 'Authenticate', if you are used to dealing with the 'users' file then this can be a bit of a challenge. The Authorize section does the comparison between the original Access-Request packet and the Attributes that would be in the check statements in the users file, or radcheck, radgroupcheck table in SQL, AND builds the reply packet from the reply statements in the users file, or radreply, radgroupreply tables in SQL. The Authenticate section only does Authentication comparisons. So in your users file you can have a: DEFAULT Auth-Type := Local To get local authentication while still building the reply packets from the database. This is similiar to what I am doing except I skip the Authentication part totally and use a freaky configurable failover to authenticate duplicate users out of an SQL database. Anyone want to offer corrections on my interpretation of the Authorize/Authentication process? Joe > > Christoph > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
