> Ok, we can see that because ###if ( SQL-Group == my_pool ) ### - so, > radius try to use new SQL query to sql DB.. But why? In this point > radius knows that user had been found in group my_pool - see ###point > 1###.
And what if user belongs to more than one group? What value should SQL-Group have then? SQL-Group and Ldap-Group are not "true" attributes but are used for comparing values instead. SQL-Group is internally used by sql module (instances) but is not placed on the attribute list, nor is a list of found groups made. It's just used for radgroupcheck/radgroupreply queries. That is because there is no requirement to use sql in authorize (that's when sql module test group membership) - you can use SQL-Group without listing sql there (if it's not listed anywhere you need to list sql in instantiate). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html