For several years we have been happy using early v1 distributions of FreeRadius with a MySQL database on SuSe Linux. However, machines wear out and security issues are resolved so decided it was time to upgrade to v2.1.10 which is available as a package in Ubuntu 12.04.
Instead of just copying over all the config files and correcting the directory pointers, I went through the process of updating the new radiusd.conf, sites-available/default, sql.conf, and dialup.conf files. I have been able to successfully authenticate & authorize test users using radtest. However, group membership did not work correctly as it did before. We use a system where most users are members of at least 2 groups, meaning that each will have 2 entries in the radusergroup table, one for each group it belongs to. In the previous production installation, each user would properly receive all the attributes of both groups. On the new test system however, they only receive the attributes of their first radusergroup entry in the list based on the priority entry. Research has shown that there was a BIG change in the group queries. v1: authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id" authorize_group_reply_query = "SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id" v2: authorize_group_check_query = "SELECT id, groupname, attribute, \ Value, op \ FROM ${groupcheck_table} \ WHERE groupname = '%{Sql-Group}' \ ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, \ value, op \ FROM ${groupreply_table} \ WHERE groupname = '%{Sql-Group}' \ ORDER BY id" Can anyone tell me why it was decided to limit the functionality in v2 by replacing the old queries?? I have tried replacing the new one with the old, and it seems to work perfectly again. I guess the more important question I am asking is whether I will have any problems just using the old queries in the new dialup.conf script? -- View this message in context: http://freeradius.1045715.n5.nabble.com/v2-1-10-Why-authorize-group-check-reply-query-changed-tp5713626.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html