Ivan,
Even with default SQL query it returns OK, because user is defined properly,
it is just check attributes of group do not match
I went to the code and I saw that rlm_sql_process_groups function causes the
whole module to return OK even though NAS-IP-Address attribute does not
match
Note it does not return attributes, it just return OK
/*
* rows == 0. This is like having the username on
a line
* in the user's file with no check vp's. As
such, we treat
* it as found and add the reply attributes, so
that we
* match expected behavior
*/
found = 1;
DEBUG2("rlm_sql (%s): User found in group %s",
inst->config->xlat_name,
group_list_tmp->groupname);
User-Name = "validuser"
User-Password = "validpasswd"
NAS-IP-Address = y.y.y.1
rlm_sql (sql): Reserving sql socket id: 6
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'validuser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'validuser' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'validuser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'validuser' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'validuser'
ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'validuser' ORDER BY priority
expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY
id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY
id
rlm_sql (sql): Released sql socket id: 6
++[sql] returns ok
Should this module return FAIL if group check fails?
Ivan Kalik wrote:
>
>>See in debug output a valid user with valid password comes from wrong
>>NAS-IP-Address which does not belong to check attributes of the user's
group
>>
>>++[sql] returns ok
>
> That is wrong. If group check fails sql should return notfound. Check
> your sql entries again. Have you altered default sql queries in some way
> (you have left them out of the debug)?
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
--
View this message in context:
http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18614701.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
