I have started to experiment with using mysql as the datastore for users and clients instead of the default file method for my relatively small installation. Right now my work is on a test system and all is working well, with one exception: a user that is a member of two or more groups. Based on all I have read, this last thing should be very basic.
If I put the user in only groupA (in the usergroup table), the test works great. If I put user1 in only groupB, the test works great. When I put user1 in both groupA and groupB in the usergroup table it will only work against the first record of the two, the second record always returns a failure. I am sure this is probably something really stupid, but I just cannot see it. Any help would be appreciated. I have attatched table dumps, sample commands, and a debug trace. I hope it is helpful Thanks, --Bill FreeRadius version 1.0.1 MySQL version 4.1.20 vm # /usr/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password \ localhost:1645 10 naspass will sucseed, while vm # /usr/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password \ localhost:1645 10 naspass fails, but should sucseed The following is a test data set to validate a variety of cases that we need to support in our environment. select * from radcheck into outfile '/tmp/f1'; -------------------------------------------------------- id username attribute op value -- -------- --------- -- ----- 1 bill Password == userpass 5 guest01 Auth-Type := Local 6 guest01 Password == password select * from radreply into outfile '/tmp/f4'; -------------------------------------------------------- id username attribute op value -- -------- --------- -- ----- 7 guest01 Class := OU=Wireless; 8 guest01 Fall-Through := No select * from radgroupcheck into outfile '/tmp/f2'; -------------------------------------------------------- id groupname attribute op value -- -------- --------- -- ----- 6 LocalUnix Auth-Type == System 7 LocalUnix Realm == Test 9 LdapCiscoAdm Password == password 10 LdapCiscoAdm Auth-Type == Local 11 LdapCiscoAdm Realm == cisi 12 LdapHpReho Realm == syst 13 LdapHpReho Auth-Type == Local 14 LdapHpReho Password == password 15 Rejected Auth-Type := Reject select * from radgroupreply into outfile '/tmp/f3'; -------------------------------------------------------- id groupname attribute op value -- -------- --------- -- ----- 8 LocalUnix Service-Type = Login 0 9 LdapCiscoAdm Cisco-AVPair = shell:priv-lvl=15 0 10 LdapCiscoAdm Class := OU=cis; 0 11 LdapCiscoAdm Fall-Through := Yes 0 12 LdapCiscoAdm Service-Type = 6 0 13 LdapHpReho Class := OU=Proj; 0 14 LdapHpReho Fall-Through := Yes 0 15 Rejected Fall-Through := No 0 17 Rejected Reply-Message := Account is locked out. 0 select * from usergroup into outfile '/tmp/f5'; -------------------------------------------------------- id username groupname -- -------- --------- 9 root LocalUnix 10 kparr LdapCiscoAdm 11 kchow LdapHpReho 12 jpage Rejected 13 kparr LdapHpReho 14 bshaver LdapCiscoAdm -------------------------------------------------------- vm # radiusd -x Starting - reading configuration files ... Module: Loaded exec Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on authentication *:1645 Listening on accounting *:1646 Listening on proxy *:1647 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32773, id=23, length=62 User-Name = "[EMAIL PROTECTED]" User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): User kparr not found in radcheck rlm_sql (sql): Released sql socket id: 4 Sending Access-Accept of id 23 to 127.0.0.1:32773 Cisco-AVPair = "shell:priv-lvl=15" Class := 0x4f553d6369733b Service-Type = Administrative-User rad_recv: Access-Request packet from host 127.0.0.1:32773, id=27, length=62 User-Name = "[EMAIL PROTECTED]" User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): User kparr not found in radcheck rlm_sql (sql): No matching entry in the database for request from user [kparr] rlm_sql (sql): Released sql socket id: 3 rad_recv: Access-Request packet from host 127.0.0.1:32773, id=27, length=62 Sending Access-Reject of id 27 to 127.0.0.1:32773 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html