Ivan, Even with default SQL query it returns OK, because user is defined properly, it is just check attributes of group do not match
I went to the code and I saw that rlm_sql_process_groups function causes the whole module to return OK even though NAS-IP-Address attribute does not match Note it does not return attributes, it just return OK /* * rows == 0. This is like having the username on a line * in the user's file with no check vp's. As such, we treat * it as found and add the reply attributes, so that we * match expected behavior */ found = 1; DEBUG2("rlm_sql (%s): User found in group %s", inst->config->xlat_name, group_list_tmp->groupname); User-Name = "validuser" User-Password = "validpasswd" NAS-IP-Address = y.y.y.1 rlm_sql (sql): Reserving sql socket id: 6 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'validuser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'validuser' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'validuser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'validuser' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'validuser' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'validuser' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY id rlm_sql (sql): Released sql socket id: 6 ++[sql] returns ok Should this module return FAIL if group check fails? Ivan Kalik wrote: > >>See in debug output a valid user with valid password comes from wrong >>NAS-IP-Address which does not belong to check attributes of the user's group >> >>++[sql] returns ok > > That is wrong. If group check fails sql should return notfound. Check > your sql entries again. Have you altered default sql queries in some way > (you have left them out of the debug)? > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18614701.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html