Re: [Patch] SQL authentication logging

2003-09-22 Thread Nicolas Baradakis 
Paul Hampson wrote:

  I think it'd be better to have a separate patch to fix
  sql_finish_query() usage everywhere and not only in
  rlm_sql_postauth()
 
 SOunds good. Are you going to make it call it always? I expect
 such a function would be safe to call at any time... From memory,
 the mySQL provides such a function, but its not implemented in
 rlm_sql_mysql at the moment. I'll also have to look into that
 sometime.

mySQL provides a mysql_free_result() that you're supposed to call
after a mysql_store_result().

So I'm thinking that:

* sql_select_query() calls mysql_store_result() and therefore
sql_finish_select_query() calls mysql_free_result()

* sql_query() don't allocate supplementary resources so
sql_finish_query() does nothing and it's just fine.

Moreover (now that I read the entire source code) if you really want
to call sql_finish_query() after a failed sql_query() I think the best
place to do it is the function rlm_sql_query() in sql.c and not in a
lot of different places in rlm_sql.c

Since this issue has nothing to do with rlm_sql_postauth() I think
you could safely commit the patch now.

-- 
Nicolas Baradakis

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: [Patch] SQL authentication logging

2003-09-22 Thread Paul Hampson 
 From: Nicolas Baradakis
 Sent: Monday, 22 September 2003 11:48 PM

 Paul Hampson wrote:
 
   I think it'd be better to have a separate patch to fix
   sql_finish_query() usage everywhere and not only in
   rlm_sql_postauth()

  SOunds good. Are you going to make it call it always? I expect
  such a function would be safe to call at any time... From memory,
  the mySQL provides such a function, but its not implemented in
  rlm_sql_mysql at the moment. I'll also have to look into that
  sometime.

 mySQL provides a mysql_free_result() that you're supposed to call
 after a mysql_store_result().
 
 So I'm thinking that:
 
 * sql_select_query() calls mysql_store_result() and therefore
 sql_finish_select_query() calls mysql_free_result()
 
 * sql_query() don't allocate supplementary resources so
 sql_finish_query() does nothing and it's just fine.
 
 Moreover (now that I read the entire source code) if you really want
 to call sql_finish_query() after a failed sql_query() I think the best
 place to do it is the function rlm_sql_query() in sql.c and not in a
 lot of different places in rlm_sql.c

Bah. More reading to do before I can buy fully into or out of that one.
(It makes a tempting kind of sense... Do we want the callers of rlm_sql_query
to only have to call sql_finish_query on successful queries? I suspect so.)

 Since this issue has nothing to do with rlm_sql_postauth() I think
 you could safely commit the patch now.

Now that I go to do that, I find even the attached version has barfed.
I hope this isn't pscp doing something whacky. :-(

Oh, turns out _something's_ doing something whacky... ASCII-mode ftp
upload from Win32 to Linux fixed the patch...

Comitted. At last. :-)

--
=
Paul TBBle Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

On a sidewalk near Portland State
University someone wrote `Trust Jesus', and
someone else wrote `But Cut the Cards'.
-
Random signature generator 3.0 by Paul TBBle Hampson
=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: [Patch] SQL authentication logging

2003-09-21 Thread Paul Hampson 
 From: Nicolas Baradakis
 Sent: Friday, 19 September 2003 6:28 PM

 Paul Hampson wrote:
 
The following patch allow for SQL logging after authentication. It
extends the rlm_sql module so now you can put one more query in your
sql.conf file.
   
   I'll commit this once either you tell me that it doesn't depend on
   Post-Auth-Type, or I commit the Post-Auth-Type patch. (Which I'm
   going to look at now.)
 
 Well, the patch will apply without a problem but it is much less
 interesting because you can query the db only if the authentication
 step is successful.

True. That's not a dependancy though. To me, a patch dependancy means
that it won't apply cleanly (or will work surprisingly) without the
other patch.


   With one minor change, to call
   (inst-module-sql_finish_query)(sqlsocket, inst-config);
   even for failed queries. (As is done in _some_ of the other sql_
   function in rlm_sql.c. And PostgresSQL's docs also do it... Only
   postgres and Sybase (off hand, Oracle too maybe) actually implement
   the function anyway.
 
 I don't understand. There is a return RLM_MODULE_FAIL just above, so
 sql_finish_query() is not called on failed query.

That's my point. My reading says it _should_ be. This certainly needs to
be cleaned up in other places too.

--
=
Paul TBBle Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

On a sidewalk near Portland State
University someone wrote `Trust Jesus', and
someone else wrote `But Cut the Cards'.
-
Random signature generator 3.0 by Paul TBBle Hampson
=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: [Patch] SQL authentication logging

2003-09-21 Thread Nicolas Baradakis 
Paul Hampson wrote:

With one minor change, to call
(inst-module-sql_finish_query)(sqlsocket, inst-config);
even for failed queries. (As is done in _some_ of the other
sql_ function in rlm_sql.c. And PostgresSQL's docs also do
it... Only postgres and Sybase (off hand, Oracle too maybe)
actually implement the function anyway.
 
  I don't understand. There is a return RLM_MODULE_FAIL just above,
  so sql_finish_query() is not called on failed query.

 That's my point. My reading says it _should_ be. This certainly
 needs to be cleaned up in other places too.

I'm sorry, I've completely misunderstood your previous post.

The fact is it's unclear when you should call sql_finish_query().
Looking more closely at rlm_sql.c I observed that:
(i) after a failed rlm_sql_query() there no call to sql_finish_query()
except in rlm_sql_accounting()
(ii) sql_finish_query() may sometimes be called 2 times (see lines 812
and 815 for example)

I think it'd be better to have a separate patch to fix
sql_finish_query() usage everywhere and not only in
rlm_sql_postauth()

-- 
Nicolas Baradakis



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: [Patch] SQL authentication logging

2003-09-21 Thread Paul Hampson 
 From: Nicolas Baradakis
 Sent: Monday, 22 September 2003 1:30 AM

 Paul Hampson wrote:

 With one minor change, to call
 (inst-module-sql_finish_query)(sqlsocket, inst-config);
 even for failed queries. (As is done in _some_ of the other
 sql_ function in rlm_sql.c. And PostgresSQL's docs also do
 it... Only postgres and Sybase (off hand, Oracle too maybe)
 actually implement the function anyway.

   I don't understand. There is a return RLM_MODULE_FAIL just above,
   so sql_finish_query() is not called on failed query.

  That's my point. My reading says it _should_ be. This certainly
  needs to be cleaned up in other places too.

 I'm sorry, I've completely misunderstood your previous post.

 The fact is it's unclear when you should call sql_finish_query().
 Looking more closely at rlm_sql.c I observed that:
 (i) after a failed rlm_sql_query() there no call to sql_finish_query()
 except in rlm_sql_accounting()
 (ii) sql_finish_query() may sometimes be called 2 times (see lines 812
 and 815 for example)

 I think it'd be better to have a separate patch to fix
 sql_finish_query() usage everywhere and not only in
 rlm_sql_postauth()

SOunds good. Are you going to make it call it always? I expect
such a function would be safe to call at any time... From memory,
the mySQL provides such a function, but its not implemented in
rlm_sql_mysql at the moment. I'll also have to look into that
sometime.

--
=
Paul TBBle Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

On a sidewalk near Portland State
University someone wrote `Trust Jesus', and
someone else wrote `But Cut the Cards'.
-
Random signature generator 3.0 by Paul TBBle Hampson
=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Patch] SQL authentication logging

2003-09-19 Thread Nicolas Baradakis 
Paul Hampson wrote:

   The following patch allow for SQL logging after authentication. It
   extends the rlm_sql module so now you can put one more query in your
   sql.conf file.
  
  I'll commit this once either you tell me that it doesn't depend on
  Post-Auth-Type, or I commit the Post-Auth-Type patch. (Which I'm
  going to look at now.)

Well, the patch will apply without a problem but it is much less
interesting because you can query the db only if the authentication
step is successful.

For the hotline service for example (ie the bad guys who made me write
this patch ^_^) it is much more useful to gather information about
failed attempts.

  With one minor change, to call
  (inst-module-sql_finish_query)(sqlsocket, inst-config);
  even for failed queries. (As is done in _some_ of the other sql_
  function in rlm_sql.c. And PostgresSQL's docs also do it... Only
  postgres and Sybase (off hand, Oracle too maybe) actually implement
  the function anyway.

I don't understand. There is a return RLM_MODULE_FAIL just above, so
sql_finish_query() is not called on failed query.

 Bugger. That patch got boned as well. Can you either attach it to an
 email for me, or put it up on a website so I can wget it?

It's troubling because I don't copy / paste from my terminal but I do
a M-x insert-file in the message. Never mind, I'll send the attached
file to you.

-- 
Nicolas Baradakis

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: [Patch] SQL authentication logging

2003-09-18 Thread Paul Hampson 
 From: Nicolas Baradakis
 Sent: Wednesday, 17 September 2003 11:35 PM

 When you have multiple freeradius servers, you want to store
 authentication attempts in a database rather than a flat file.

 The following patch allow for SQL logging after authentication. It
 extends the rlm_sql module so now you can put one more query in your
 sql.conf file.

 The following patch depends on the the patch Post-Auth-Type I posted
 earlier.

How?

I'll commit this once either you tell me that it doesn't depend on
Post-Auth-Type, or I commit the Post-Auth-Type patch. (Which I'm
going to look at now.)

With one minor change, to call
(inst-module-sql_finish_query)(sqlsocket, inst-config);
even for failed queries. (As is done in _some_ of the other sql_
function in rlm_sql.c. And PostgresSQL's docs also do it... Only
postgres and Sybase (off hand, Oracle too maybe) actually implement
the function anyway.

--
=
Paul TBBle Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

This is a one line proof...if we start
sufficiently far to the left.
-- Cambridge University Math Department
-
Random signature generator 3.0 by Paul TBBle Hampson
=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: [Patch] SQL authentication logging

2003-09-18 Thread Paul Hampson 
 From: Paul Hampson
 Sent: Friday, 19 September 2003 1:47 AM

  From: Nicolas Baradakis
  Sent: Wednesday, 17 September 2003 11:35 PM

  The following patch allow for SQL logging after authentication. It
  extends the rlm_sql module so now you can put one more query in your
  sql.conf file.

 I'll commit this once either you tell me that it doesn't depend on
 Post-Auth-Type, or I commit the Post-Auth-Type patch. (Which I'm
 going to look at now.)

 With one minor change, to call
 (inst-module-sql_finish_query)(sqlsocket, inst-config);
 even for failed queries. (As is done in _some_ of the other sql_
 function in rlm_sql.c. And PostgresSQL's docs also do it... Only
 postgres and Sybase (off hand, Oracle too maybe) actually implement
 the function anyway.

Bugger. That patch got boned as well. Can you either attach it to an email
for me, or put it up on a website so I can wget it?

Preferably with the above change, but if you don't, I will.

--
=
Paul TBBle Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

This is a one line proof...if we start
sufficiently far to the left.
-- Cambridge University Math Department
-
Random signature generator 3.0 by Paul TBBle Hampson
=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[Patch] SQL authentication logging

2003-09-17 Thread Nicolas Baradakis 
When you have multiple freeradius servers, you want to store
authentication attempts in a database rather than a flat file.

The following patch allow for SQL logging after authentication. It
extends the rlm_sql module so now you can put one more query in your
sql.conf file.

The following patch depends on the the patch Post-Auth-Type I posted
earlier.

$ cvs diff -u raddb/sql.conf src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql 
src/modules/rlm_sql/conf.h src/modules/rlm_sql/rlm_sql.c
Index: raddb/sql.conf
===
RCS file: /source/radiusd/raddb/sql.conf,v
retrieving revision 1.28
diff -u -r1.28 sql.conf
--- raddb/sql.conf  30 Jul 2003 22:15:30 -  1.28
+++ raddb/sql.conf  17 Sep 2003 13:09:43 -
@@ -32,7 +32,10 @@
# and stop table in acct_table2
acct_table1 = radacct
acct_table2 = radacct
-   
+
+   # Allow for storing data after authentication
+   postauth_table = radpostauth
+
authcheck_table = radcheck
authreply_table = radreply

@@ -179,4 +182,13 @@
###
 
group_membership_query = SELECT GroupName FROM ${usergroup_table} WHERE 
UserName='%{SQL-User-Name}'
+
+   ###
+   # Authentication Logging Queries
+   ###
+   # postauth_query- Insert some info after authentication
+   ###
+
+   postauth_query = INSERT into ${postauth_table} (id, user, pass, reply, date) 
values ('', '%{User-Name}', '%{User-Password}', '%{reply:Packet-Type}', NOW())
+
 }
Index: src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql
===
RCS file: /source/radiusd/src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql,v
retrieving revision 1.11
diff -u -r1.11 db_mysql.sql
--- src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql  16 Jul 2003 17:35:41 
-  1.11
+++ src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql  17 Sep 2003 13:09:43 
-
@@ -117,6 +117,19 @@
   KEY UserName (UserName(32))
 ) ;
 
+#
+# Table structure for table 'radpostauth'
+#
+
+CREATE TABLE radpostauth (
+  id int(11) NOT NULL auto_increment,
+  user varchar(64) NOT NULL default '',
+  pass varchar(64) NOT NULL default '',
+  reply varchar(32) NOT NULL default '',
+  date timestamp(14) NOT NULL,
+  PRIMARY KEY  (id)
+) ;
+
 ##
 #
 #  The next two tables are commented out because they are not
Index: src/modules/rlm_sql/conf.h
===
RCS file: /source/radiusd/src/modules/rlm_sql/conf.h,v
retrieving revision 1.16
diff -u -r1.16 conf.h
--- src/modules/rlm_sql/conf.h  7 Sep 2002 13:23:01 -   1.16
+++ src/modules/rlm_sql/conf.h  17 Sep 2003 13:09:43 -
@@ -46,6 +46,8 @@
int num_sql_socks;
int connect_failure_retry_delay;
int query_on_not_found;
+   char   *sql_postauth_table;
+   char   *postauth_query;
 
/* individual driver config */
void*localcfg;
Index: src/modules/rlm_sql/rlm_sql.c
===
RCS file: /source/radiusd/src/modules/rlm_sql/rlm_sql.c,v
retrieving revision 1.119
diff -u -r1.119 rlm_sql.c
--- src/modules/rlm_sql/rlm_sql.c   6 Aug 2003 17:05:47 -   1.119
+++ src/modules/rlm_sql/rlm_sql.c   17 Sep 2003 13:09:44 -
@@ -121,6 +121,10 @@
 offsetof(SQL_CONFIG,simul_count_query), NULL, },
{simul_verify_query, PW_TYPE_STRING_PTR,
 offsetof(SQL_CONFIG,simul_verify_query), NULL, },
+   {postauth_table, PW_TYPE_STRING_PTR,
+offsetof(SQL_CONFIG,sql_postauth_table), NULL, radpostauth},
+   {postauth_query, PW_TYPE_STRING_PTR,
+offsetof(SQL_CONFIG,postauth_query), NULL, },
 
{NULL, -1, 0, NULL, NULL}
 };
@@ -1072,6 +1076,47 @@
 
 }
 
+/*
+ * Execute postauth_query after authentication
+ */
+static int rlm_sql_postauth(void *instance, REQUEST *request) {
+   SQLSOCK *sqlsocket = NULL;
+   SQL_INST*inst = instance;
+   charquerystr[MAX_QUERY_LEN];
+
+   DEBUG(rlm_sql (%s): Processing sql_postauth, inst-config-xlat_name);
+
+   /* If postauth_query is not defined, we stop here */
+   if (inst-config-postauth_query[0] == '\0')
+   return RLM_MODULE_NOOP;
+
+   /* Expand variables in the query */
+   memset(querystr, 0, MAX_QUERY_LEN);
+   radius_xlat(querystr, sizeof(querystr), inst-config-postauth_query,
+   request, sql_escape_func);
+   query_log(request, inst, querystr);
+

Re[2]: Sql authentication

2003-01-13 Thread CEBKA 
Hello, Andrew.

You wrote at 13.01.2003, :


AP okay. i'm puzzled as to why you're using := and not ==, but it should
AP still be a matching check item.

Changing this had no effect! But you are right: that was my error :(

AP that said, does authentication work if you attempt to use pap or
AP cleartext passwords in the mysql database? getting it working at all is
AP probably your first step, also, perhaps you could show us what other
AP check and reply attributes you're setting in the database...

I  don't  understand  one thing: when I add a user to /etc/passwd, for
example

test:x:1000:65532::/dev/null:/dev/null

all  is going in order. Radius send Access-Accept packet with AV pairs
from  radreply  and  radgroupreply. So I think, that the problem is in
authentication. Here are these sections from radiusd.conf:


authorize {
preprocess

chap

mschap

#   counter
#   attr_filter
#   eap
suffix
files
#   etc_smbpasswd
sql
#   ldap
}
authenticate {
authtype PAP {
pap
}
authtype CHAP {
chap
}

authtype MS-CHAP {
mschap
}

#   pam
unix
#   authtype LDAP {
#   ldap
#   }
#   eap
}

If   I  commented  'unix'  module nothing was working! But I can't add
sql module to authenticate section(I have the 0.8 version of radius,
so I've heard that it is not needed, thought...)


AP Andrew Pilley

-- 
Best regards,
 CEBKA  mailto:[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: Sql authentication

2003-01-12 Thread CEBKA 
Hello, Andrew.

You wrote at 12.01.2003, :

AP okay

AP rlm_chap: Could not find proper Chap-Password attribute in request

AP Here, it looks like it's attempting to do chap, but that the opposite
AP end isn't SENDING chap. make sure your authenticate section looks
AP something like
AP authenticate {
AP authtype CHAP {
AP chap
AP }

AP chap
AP }
It is done by default.
AP keep in mind that i'm using pap here at my site, so i deal with
AP Crypt-Password md5 hashes. Make sure that the dialup user is DEFINENTLY 
AP using chap.

Yes,  I've  do this already too. For example such packet has been send
with radclient:
User-Name = test
Chap-Password = testing

Radiusd wrote the next:
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=162, length=46
User-Name = steve
CHAP-Password = 0xa293ea0804b2a9fbffa25456449b43d219
rlm_chap: Adding Auth-Type = CHAP
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = 'steve' ORDER BY id
rlm_sql_mysql: query:  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'steve' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
Username = 'steve' ORDER BY id
rlm_sql_mysql: query:  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username = 'steve' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 4
Login incorrect: [steve/CHAP-Password] (from client local port 0)
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=162, length=46
Sending Access-Reject of id 162 to 127.0.0.1:1025

But there is a reckord in mysql database in radcheck table:

ID UserName  Attribute  Op  Value
1  test  Chap-Password  :=  testing

But authentication doesn`t go right! I even don't see the process. But
if  I'm  working  with  unix  passwd  all works good, so I think, that
problem   is   in  working  with  mysql  database.

-- 
Best regards,
 CEBKA  mailto:[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sql authentication

2003-01-12 Thread Andrew Pilley 
On Sun, Jan 12, 2003 at 03:52:16PM +0300, CEBKA wrote:
 Hello, Andrew.
 
 But there is a reckord in mysql database in radcheck table:
 
 ID UserName  Attribute  Op  Value
 1  test  Chap-Password  :=  testing

okay. i'm puzzled as to why you're using := and not ==, but it should
still be a matching check item.

that said, does authentication work if you attempt to use pap or
cleartext passwords in the mysql database? getting it working at all is
probably your first step, also, perhaps you could show us what other
check and reply attributes you're setting in the database...

other than that, i'm not sure what you're missing, unless it's part of
the actual configuration file radiusd, but since it sounds like it's at
least attempting rlm_sql, i'm not sure what you could be missing. have
you tried running the queries manually, and seeing what they produce?
make sure it's actually retreiving a useful set of attributes...

Andrew Pilley

 
 -- 
 Best regards,
  CEBKA  mailto:[EMAIL PROTECTED]
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sql authentication

2003-01-10 Thread Andrew Pilley 
On Fri, Jan 10, 2003 at 07:50:35PM +0300, CEBKA wrote:
 Hello
 
 Sorry,  if  this question took place, but I want to know may rlm_mysql
 module  make  authentication.  If  I  have a user in radcheck/radreply
 tables  with  correct AV values, when I use radtest with this username
 and  password  my  server  send Access-Reject pascket. This works well
 with local files. So can I do this without local authentication, using
 only MySQL database?

run your freeradius server using the command radius -x, to get debug
output. you may also want to examine sql.conf, and set some extra
settings there, and make mysql log in fairly verbose terms.

That should show you where the problem is coming from. i had to play
with the exact name of the AV pairs for the password for a day or two to
realise i wanted Crypt-Password for an md5/crypt hash password. make
sure you set Auth-Type, and use the correct entry in the op field.

Andrew 'ashridah' Pilley





 
 -- Best regards,
 CEBKAmailto:[EMAIL PROTECTED]
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SQL authentication

2002-12-10 Thread betux 
dear all,

can i using sql module for authentication?

Thanks.



Regards,



Tjenen

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: SQL Authentication Failure

2002-11-29 Thread Vijay Reddy 



Hi,
Sorry 
If i am disturbing a lot,
Now 
following error is occured,after modifying the radiusd.conf with authenticate 
module(only PAP is enabled)

 
rlm_sql (sql): Pairs do not match for user [vreddy]rlm_sql (sql): Released 
sql socket id: 2 modcall[authorize]: module "sql" returns 
notfound users: Matched DEFAULT at 152 
modcall[authorize]: module "files" returns okmodcall: group authorize 
returns ok rad_check_password: Found Auth-Type PAPauth: type 
"PAP"modcall: entering group authtyperlm_pap: empty password 
supplied modcall[authenticate]: module "pap" returns 
invalidmodcall: group authtype returns invalidauth: Failed to validate 
the user.

what 
should be the record in the radcheck table,
so 
that 
radtest vreddy Password localhost 0 
testing123client program need to work

Thanks 
in Advance

regards
Vijay 
reddy



  -Original Message-From: Novel S Sidabutar 
  [mailto:[EMAIL PROTECTED]]Sent: Friday, November 29, 2002 11:49 
  AMTo: [EMAIL PROTECTED]Subject: Re: SQL 
  Authentication Failure
  You can try configure again your 
  rlm_sqlfree radius source on 
  /free~/src/modules/rlm_sql/ and do configure 
  again,
  $./configure
  $./make
  $./make install
  
  
Hi,

 I 
Installed FreeRadius and MySQL on Linux ,I inserted the record in the 
radcheck using query into the server

Insert into 
radcheck(UserName,Attribute,Value) values 
("vreddy","vreddy","test");

Now we started 
the Radius Server as radiusd -X,and when we started the test client with 
options as below

radtest vreddy 
test localhost 0 testing123

client is 
sending  resending the Access-Request packets,but server is not 
responding,the following error is occured at Server Side

rad_recv: 
Access-Request packet from host 127.0.0.1:33380, id=72, 
length=58 User-Name = 
"vreddy" User-Password = 
"vreddy" NAS-IP-Address = 
255.255.255.255 NAS-Port = 
0modcall: entering group authorize modcall[authorize]: module 
"preprocess" returns okrlm_chap: Could not find proper Chap-Password 
attribute in request modcall[authorize]: module "chap" returns 
noop modcall[authorize]: module "mschap" returns 
notfound rlm_realm: No '@' in User-Name = "vreddy", 
looking up realm NULL rlm_realm: No such realm 
NULL modcall[authorize]: module "suffix" returns 
noopradius_xlat: 'vreddy'rlm_sql (sql): sql_set_user escaped 
user -- 'vreddy'radius_xlat: 'SELECT 
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'vreddy' ORDER 
BY id'rlm_sql (sql): Reserving sql socket id: 4rlm_sql_mysql: 
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = 'vreddy' ORDER BY idrlm_sql: unknown attribute rlm_sql 
(sql): Error getting data from databaserlm_sql (sql): SQL query error; 
rejecting userrlm_sql (sql): Released sql socket id: 4 
modcall[authorize]: module "sql" returns failmodcall: group authorize 
returns failFinished request 0Going to the next 
request



regards
Vijay 
Reddy

Re: SQL Authentication Failure

2002-11-29 Thread Alan DeKok 
Vijay Reddy [EMAIL PROTECTED] wrote:
I Installed  FreeRadius and MySQL on Linux ,I inserted the record in the
 radcheck using query into the server
  
 Insert into radcheck(UserName,Attribute,Value) values
 (vreddy,vreddy,test);

  That won't work.

 rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM radcheck
 WHERE Username = 'vreddy' ORDER BY id
 rlm_sql: unknown attribute 

  Upgrade to 0.8.  It has a bit better error messages, and will tell
you what you're doing wrong.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: SQL Authentication Failure

2002-11-29 Thread Valakos Yorgos 
Try INSERT INTO radcheck ('Id','Username','Attribute','op','Value')
('','vreddy','Password','==','test');
That did the work for me at least .
And I m a newcomer.in the gang ... :)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SQL Authentication Failure

2002-11-28 Thread Vijay Reddy 



Hi,

 I 
Installed FreeRadius and MySQL on Linux ,I inserted the record in the 
radcheck using query into the server

Insert into 
radcheck(UserName,Attribute,Value) values 
("vreddy","vreddy","test");

Now we started the 
Radius Server as radiusd -X,and when we started the test client with options as 
below

radtest vreddy test 
localhost 0 testing123

client is sending 
 resending the Access-Request packets,but server is not responding,the 
following error is occured at Server Side

rad_recv: 
Access-Request packet from host 127.0.0.1:33380, id=72, 
length=58 User-Name = 
"vreddy" User-Password = 
"vreddy" NAS-IP-Address = 
255.255.255.255 NAS-Port = 
0modcall: entering group authorize modcall[authorize]: module 
"preprocess" returns okrlm_chap: Could not find proper Chap-Password 
attribute in request modcall[authorize]: module "chap" returns 
noop modcall[authorize]: module "mschap" returns 
notfound rlm_realm: No '@' in User-Name = "vreddy", 
looking up realm NULL rlm_realm: No such realm 
NULL modcall[authorize]: module "suffix" returns 
noopradius_xlat: 'vreddy'rlm_sql (sql): sql_set_user escaped user 
-- 'vreddy'radius_xlat: 'SELECT id,UserName,Attribute,Value,op 
FROM radcheck WHERE Username = 'vreddy' ORDER BY id'rlm_sql (sql): Reserving 
sql socket id: 4rlm_sql_mysql: query: SELECT 
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'vreddy' ORDER BY 
idrlm_sql: unknown attribute rlm_sql (sql): Error getting data from 
databaserlm_sql (sql): SQL query error; rejecting userrlm_sql (sql): 
Released sql socket id: 4 modcall[authorize]: module "sql" returns 
failmodcall: group authorize returns failFinished request 0Going to 
the next request



regards
Vijay 
Reddy

Problems Enabling SQL Authentication

2002-11-07 Thread Richard Herrell 
Title: Problems Enabling SQL Authentication






Hi,


I'm having some problems getting RADIUS authentication with MySQL working. I'm
using:


FreeRADIUS Version 0.7.1
mysql-server-3.23.41
dialup_admin (latest) - slightly modified
RedHat Linux 7.3


I've read through the documentation and the mailing list archives, but I haven't seen an answer to this problem. I also checked the ./configure script for FreeRADIUS to verify that I didn't miss an important option, but I saw nothing appropriate.

When my radiusd.conf includes:


authenticate {
 unix
 sql
}


Radius won't start up, giving me:


radiusd.conf: SQL modules aren't allowed in 'authenticate' sections -- they have no such method.


Don't I need SQL to be in my authenticate section? How do I get it there?


When I remove sql from the authenticate section, radiusd will start, but my test user won't authenticate:


[root@rherrellnix root]# radtest testuser2 testuser2 127.0.0.1 1 IForgot
Sending Access-Request of id 123 to 127.0.0.1:1645
 User-Name = testuser2
 User-Password = \357\242k\354k%\027qV\207a\374\337\312Am
 NAS-IP-Address = rherrellnix
 NAS-Port-Id = 1
rad_recv: Access-Reject packet from host 127.0.0.1:1645, id=123, length=20


The related output of radiusd -X is:


Listening on IP address *, ports 1645/udp and 1646/udp, with proxy on 1647/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=123, length=58
 User-Name = testuser2
 User-Password = \357\242k\354k%\027qV\207a\374\337\312Am
 NAS-IP-Address = 255.255.255.255
 NAS-Port-Id = 1
modcall: entering group authorize
 modcall[authorize]: module preprocess returns ok
 rlm_realm: Looking up realm NULL for User-Name = testuser2
 rlm_realm: No such realm NULL
 modcall[authorize]: module suffix returns noop
radius_xlat: 'testuser2'
sql_set_user: escaped user -- 'testuser2'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testuser2' ORDER BY id'
rlm_sql: Reserving sql socket id: 4
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testuser2' ORDER BY id
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser2' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'

query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser2' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id

radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'testuser2' ORDER BY id'
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'testuser2' ORDER BY id
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser2' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'

query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser2' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id

radius_xlat: 'SELECT Value,Attribute FROM radcheck WHERE UserName = 'testuser2' AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC'

query: SELECT Value,Attribute FROM radcheck WHERE UserName = 'testuser2' AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC

rlm_sql: Released sql socket id: 4
 modcall[authorize]: module sql returns ok
 users: Matched DEFAULT at 152
 modcall[authorize]: module files returns ok
modcall: group authorize returns ok
 rad_check_password: Found Auth-Type System
auth: type System
modcall: entering group authenticate
 modcall[authenticate]: module unix returns notfound
modcall: group authenticate returns notfound
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 123 to 127.0.0.1:1025
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 123 with timestamp 3dcad955
Nothing to do. Sleeping until we see a request.



The results probably aren't too surprising, because sql isn't in my authenticate section. However, I have verified that my test user in my database:

mysql select * from userinfo;
++---+--+--++---+---++
| id | UserName | Name | Mail | Department | WorkPhone | HomePhone | Mobile

FreeRADIUS how to support Oracle SQL authentication

2001-12-19 Thread Robbie 

I want the FreeRADIUS support Oracle SQL authentication.
My FreeRADIUS is running on RedHat 7.2 and Oracle SQL server is running on Solaris7
for SPARC.
How can I realize it?
Thanks.
â²Ø§~ì¹»®Þþéì¹»®ÞI硶Úÿ0~·ž­§bºÊ+ƒùb²ßî±êì†Ù¥

SQL authentication with Auth-Type

2001-10-17 Thread Christoph Haas 

Hi all...

has anyone yet managed to set an Auth-Type as a check item
in a MySQL database? For me no Auth-Type is working. I read
in some older posting that the 'users' file supports
an Auth-Type of 'sql'. But whenever I set an Auth-Type in
the 'radcheck' table used for authentication (e.g. 'Local'
or 'System') I receive an Access-Reject for no reason.

I can even set Auth-Type to Local and it won't work. Just
removing the Auth-Type record it works (with the Password
entry alone). Is the 'users' file my destiny? Is the SQL
authentication just not powerful enough to even support
UNIX authentication?

I'm sure there is a very simple solution. ;)

  Christoph


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL authentication with Auth-Type

2001-10-17 Thread Fredrik Reite 

At 18:48 2001-10-17 +0200, you wrote:
Hi all...

has anyone yet managed to set an Auth-Type as a check item
in a MySQL database? For me no Auth-Type is working. I read
in some older posting that the 'users' file supports
an Auth-Type of 'sql'. But whenever I set an Auth-Type in
the 'radcheck' table used for authentication (e.g. 'Local'
or 'System') I receive an Access-Reject for no reason.

I can even set Auth-Type to Local and it won't work. Just
removing the Auth-Type record it works (with the Password
entry alone). Is the 'users' file my destiny? Is the SQL
authentication just not powerful enough to even support
UNIX authentication?

I'm sure there is a very simple solution. ;)

i had to hack src/modules/rlm_sql/rlm_sql.c

in the end i changed to

module_t rlm_sql = {
 System,

and now it works with 'DEFAULT Auth-Type := System' in the users file.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL authentication with Auth-Type

2001-10-17 Thread aland 

Fredrik Reite [EMAIL PROTECTED] wrote:
 i had to hack src/modules/rlm_sql/rlm_sql.c
 
 in the end i changed to
 
 module_t rlm_sql = {
  System,
 
 and now it works with 'DEFAULT Auth-Type := System' in the users file.

  Uh, NO, that is NOT a solution.  All you're doing is making 'System'
authentication into SQL authentication.  That's REALLY not what you
want.

  If you want to do SQL authentication, you should use 'Auth-Type := SQL' 
in the 'users' file.

  If you want to authenticate agains /etc/passwd, THEN you use
'Auth-Type := System'.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL authentication with Auth-Type

2001-10-17 Thread aland 

Joe Modjeski [EMAIL PROTECTED] wrote:
 From reading on the list I believe this to be a problem that will be solved
 when the SQL tables begin to support operators.  Currently the tables only
 use the '==' operator and in that case you can only match attributes that
 are sent.

  Yes, exactly.

 Anyone want to offer corrections on my interpretation of the
 Authorize/Authentication process?

  It looks good to me.

 Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html