Re: Send Access-Reject when user does not match any group?

[Bogdan Enache]

Hi,

Pe 14.01.2013 15:17, a.l.m.bu...@lboro.ac.uk a scris:
Hi,
As you can see, it matches the rule in "users" first, and then the
group named "login" in MySQL. There is no other match.
because thats the order that you have them run in.... how can the users
file know anything about the groups if you are doing the groups AFTER
the users file?  change the order or put some other configuratin into
place - eg use unlang after the sql section to check for group and if one
doesnt exist them reject - man unlang


I already tried that, I put "sql" before "files" in "authorize" section 
in both "default" and "inner-tunnel":

[sql]   expand: %{User-Name} -> bogdan.enache
[sql] sql_set_user escaped user --> 'bogdan.enache'
rlm_sql (sql): Reserving sql socket id: 5
[sql]   expand: SELECT id, username, attribute, value, op FROM 
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER 
BY id -> SELECT id, username, attribute, value, op           FROM 
radcheck           WHERE username = 'bogdan.enache'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op FROM 
radreply           WHERE username = '%{SQL-User-Name}'           ORDER 
BY id -> SELECT id, username, attribute, value, op           FROM 
radreply           WHERE username = 'bogdan.enache'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT 
groupname           FROM radusergroup           WHERE username = 
'bogdan.enache' ORDER BY priority
[sql]   expand: SELECT id, groupname, attribute,           Value, 
op           FROM radgroupcheck           WHERE groupname = 
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, 
attribute,           Value, op           FROM radgroupcheck           
WHERE groupname = 'login'           ORDER BY id
[sql] User found in group login
[sql]   expand: SELECT id, groupname, attribute,           value, 
op           FROM radgroupreply           WHERE groupname = 
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, 
attribute,           value, op           FROM radgroupreply           
WHERE groupname = 'login'           ORDER BY id
rlm_sql (sql): Released sql socket id: 5
++[sql] returns ok
[files] users: Matched entry DEFAULT at line 209
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user

Still rejecting.

Thank you.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html