Pasi Kärkkäinen wrote:
> I need to add Post-Proxy-Type based on realm of the proxied
> request.
>
> I can't figure out how to express this with the sql tables:
> "DEFAULT Realm == "foo.net", Post-Proxy-Type := post.proxy.foo"
>
> There's no Realm field in the sql..
I don't understand why you absolutely want to manage the settings for
the realm in a SQL database. (although it is possible) The home server
does SQL requests because it authenticates the users and stores
accounting tickets, but the proxy usually doesn't do SQL at all.
Unless you have many realms and they often change and you can't afford
to add/remove a realm from your configuration without restarting
radiusd, your proxy doesn't need to do SQL requests. Moreover,
querying the SQL server for each request costs a big performance
penalty, therefore you should put the Post-Proxy-Type in the users
file unless you have good reasons.
If you really want to add the Post-Proxy-Type attribute from a
database, below is the main idea of how to do this. (I didn't test
it and perhaps you'll need some minor changes)
You change "UserName" by "Realm" in the SQL schema.
CREATE TABLE radcheck (
id int(11) unsigned NOT NULL auto_increment,
Realm varchar(64) NOT NULL default '',
Attribute varchar(32) NOT NULL default '',
op char(2) NOT NULL DEFAULT '==',
Value varchar(253) NOT NULL default '',
PRIMARY KEY (id),
KEY UserName (UserName(32))
) ;
Then you insert the Post-Proxy-Type definition in the radcheck table:
INSERT INTO radcheck (Realm,Attribute,op,Value) VALUES ('foo.net',
'Post-Proxy-Type', '=', 'post.proxy.foo');
INSERT INTO radcheck (Realm,Attribute,op,Value) VALUES ('bar.com',
'Post-Proxy-Type', '=', 'post.proxy.bar');
Finally you write the adequate query in sql.conf. (and comment other
auth queries)
authorize_check_query = "SELECT id,Realm,Attribute,Value,op FROM radcheck WHERE
Realm = '%{Realm}'"
> Could I use rlm_attr_filter to add Post-Proxy-Type? rlm_attr_filter is
> processed for the proxy replies and you can match realms there.. so it
> seems like a right place to do this.. I'll try this and see what happens.
You can't add a check item with this module, so there is no way you
can set Post-Proxy-Type there. However, perhaps you can try to add the
Pool-Name attribute in the attrsfile:
foo.net
Pool-Name := "foo_ippool",
Fall-Through = Yes
bar.com
Pool-Name := "bar_ippool",
Fall-Through = Yes
DEFAULT
Put here all other attributes you need otherwise they'll
be removed from the packet
This is an alternate approach. It may work, too. And finally you will
get not one, but two solutions to setup you FreeRADIUS proxy !
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
