[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-gnu-radius] user attr table for SQL auth.
From: |
Sergey Poznyakoff |
Subject: |
Re: [Help-gnu-radius] user attr table for SQL auth. |
Date: |
Fri, 19 Jul 2002 23:08:50 +0300 |
> I'm needing a better explanation of how this table works..
[...]
> ('dummy','NAS-Identifier','smtp','')
The last column of the attr table keeps the comparison operator. Its
value can be either NULL or one of '=', '!=', '>', '<', '>=', '<='.
It cannot be just '' (a zero-length string). That's why you are
getting `SQL: invalid operator:' errors.
If the value of op field is NULL, then the whole record is taken
to represent an RHS pair, i.e. a pair that is to be returned to the
NAS. Thus the following record
('dummy','NAS-Identifier','smtp',NULL)
is useless, since it doesn't make much sense to return NAS-Identifier
to the NAS itself. On the other hand the record
('dummy','Service-Type','PPP',NULL)
is quite OK (NASes often require Service-Type to be present in the
reply packets).
Now, let's consider the case where op != NULL. The record
('dummy','NAS-Identifier','smtp','=')
means that the raddb/users entry
DEFAULT Auth-Type=SQL,
Service-Type = Authenticate-Only
Service-Type = Authenticate-Only
will succeed *only* if the incoming packet contains pair
NAS-Identifier = "smtp"
Otherwise, the user is deemed not to be found in the database and
the diagnostic message `Invalid user: [dummy]' is issued.
Notice that the comparison for all LHS attributes (whether explicit or
retrieved form an SQL database) is conjunctive (logical AND). There is
no way to specify logical OR. There may be however several ways out
of this difficulty. Specifically, in your case, you should create a
huntgroup, e.g.:
MYGROUP NAS-Identifier = smtp NULL
MYGROUP NAS-Identifier = imap NULL
and then apply it to the raddb/users entry either explicitly:
DEFAULT Auth-Type = SQL,
Huntgroup-Name = MYGROUP
Service-Type = Authenticate-Only
Service-Type = Authenticate-Only
or implicitly, by inserting into SQL record
('dummy','Huntgroup-Name','MYGROUP','=')
Regards,
Sergey