Re: How to allow nas'es to serve only groups of clients?

[Alexander Solodukhin]

On Thu, 12 Mar 2009 14:30:07 +0200, Alan DeKok <al...@deployingradius.com>  
wrote:

Alexander Solodukhin wrote:
Thank you for help. I try to do as you say and put this to authorize
section after preprocess:
       preprocess

        # allow  hotspot users only
        if (SQL-Group != 'Spot') {

  That won't work... the SQL-Group attribute is a "callback" attribute.
  i.e. Using it results in a call to the SQL module, which then does the
comparison itself.

  And... it ignores the operator '!='.  The operator is always '=='.
This is because the SQL-Group functionality goes way back to version
0.2, and isn't integrated with the newer "unlang" feature.

  You could send a patch to integrate it with unlang, or do:

        if (! (SQL-Group == 'Spot')) {
                reject
        }

  That should work.  It lets the SQL-Group code use '==', and then uses
the newer expression parser to do the "NOT in the group" checking.

No luck, Alan. Here the code:

        # allow  hotspot users only
        if (!(SQL-Group == 'Spot')) {
                reject
        }

And debug output:

++? if (!(SQL-Group == 'Spot'))
sql_groupcmp
        expand: %{User-Name} -> spot2
sql_set_user escaped user --> 'spot2'
rlm_sql (sql): Reserving sql socket id: 4
        expand: SELECT groupname           FROM radusergroup            
WHERE username = '%{SQL-User-Name}'
   ORDER BY priority -> SELECT groupname           FROM  
radusergroup           WHERE username = 'spot2'
ORDER BY priority
sql_groupcmp finished: User is a member of group Spot
rlm_sql (sql): Released sql socket id: 4
?? Evaluating (SQL-Group == 'Spot') -> TRUE
? Converting !TRUE -> FALSE
++? if (!(SQL-Group == 'Spot')) -> FALSE

Seems it works for 'spot2' account, but:

++? if (!(SQL-Group == 'Spot'))
sql_groupcmp
        expand: %{User-Name} -> test2
sql_set_user escaped user --> 'test2'
rlm_sql (sql): Reserving sql socket id: 1
        expand: SELECT groupname           FROM radusergroup            
WHERE username = '%{SQL-User-Name}'
   ORDER BY priority -> SELECT groupname           FROM  
radusergroup           WHERE username = 'test2'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
sql_groupcmp finished: User is NOT a member of group Spot
++[chap] returns noop
++[mschap] returns noop

not work for test2 account.



--
ISP CrIS, Softwarium
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html