- There was not a match for the last group’s check items OR
- Fall-Through was set in the last group’s reply items
-(The above is exactly the same as in the users file.)
-
-Finally, if the user has a User-Profile attribute set or the Default Profile
-configuration item is set for the sql module, then the above group
-processing steps are repeated for the groups that the profile is a member of.
-
+The above is exactly the same as in the `users` file.
=== Example with groups
* Use the users file to only set default profiles. Do not place any
users there. Keep it as small as possible. Always set default attributes
in the users file and don’t fill the user entries in ldap/sql with
-default values. In general the ldap/sql user profiles should contain
+default values. In general the ldap user profiles should contain
user attributes only in special user cases.
* Tune thread pool parameters to match your size requirements. Set
`max_requests_per_server` to zero to avoid server thread restarts.
will return `true`.
+==== Profiles
+
+The `default_user_profile` and the `User-Profile` attributes have been
+removed. No one used them, as that behavior was already supported by the group functionality.
+
==== rlm_sql_mysql
Now calls `mysql_real_escape_string` and no longer produces
-read_profiles:: Read the profiles from the database.
-
-If set to `yes`, we read profiles unless `Fall-Through = no` in the groupreply table.
-If set to `no` we do not read profiles unless `Fall-Through = yes` in the groupreply table.
-
-Default is `yes`.
-
-
-
logfile:: Write SQL queries to a logfile.
This is potentially useful for tracing issues with authorization queries.
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
# read_groups = yes
-# read_profiles = yes
# logfile = ${logdir}/sqllog.sql
# query_timeout = 5
pool {
#
# read_groups = yes
- #
- # read_profiles:: Read the profiles from the database.
- #
- # If set to `yes`, we read profiles unless `Fall-Through = no` in the groupreply table.
- # If set to `no` we do not read profiles unless `Fall-Through = yes` in the groupreply table.
- #
- # Default is `yes`.
- #
-# read_profiles = yes
-
#
# logfile:: Write SQL queries to a logfile.
#
event_timestamp = "%{${event_timestamp_epoch} * 1000}"
-#######################################################################
-# Default profile
-#######################################################################
-# This is the default profile. It is found in SQL by group membership.
-# That means that this profile must be a member of at least one group
-# which will contain the corresponding check and reply items.
-# This profile will be queried in the authorize section for every user.
-# The point is to assign all users a default profile without having to
-# manually add each one to a group that will contain the profile.
-# The SQL module will also honor the User-Profile attribute. This
-# attribute can be set anywhere in the authorize section (ie the users
-# file). It is found exactly as the default profile is found.
-# If it is set then it will *overwrite* the default profile setting.
-# The idea is to select profiles based on checks on the incoming packets,
-# not on user group membership. For example:
-# -- users file --
-# DEFAULT Service-Type == Outbound-User, User-Profile := "outbound"
-# DEFAULT Service-Type == Framed-User, User-Profile := "framed"
-#
-# By default the default_user_profile is not set
-#
-#default_user_profile = "DEFAULT"
-
#######################################################################
# Authorization Queries
#######################################################################
event_timestamp = "FROM_UNIXTIME(${event_timestamp_epoch})"
-#######################################################################
-# Default profile
-#######################################################################
-# This is the default profile. It is found in SQL by group membership.
-# That means that this profile must be a member of at least one group
-# which will contain the corresponding check and reply items.
-# This profile will be queried in the authorize section for every user.
-# The point is to assign all users a default profile without having to
-# manually add each one to a group that will contain the profile.
-# The SQL module will also honor the User-Profile attribute. This
-# attribute can be set anywhere in the authorize section (ie the users
-# file). It is found exactly as the default profile is found.
-# If it is set then it will *overwrite* the default profile setting.
-# The idea is to select profiles based on checks on the incoming packets,
-# not on user group membership. For example:
-# -- users file --
-# DEFAULT Service-Type == Outbound-User, User-Profile := "outbound"
-# DEFAULT Service-Type == Framed-User, User-Profile := "framed"
-#
-# By default the default_user_profile is not set
-#
-#default_user_profile = "DEFAULT"
-
#######################################################################
# Authorization Queries
#######################################################################
event_timestamp = "TO_DATE('1970-01-01','YYYY-MM-DD') + NUMTODSINTERVAL(${event_timestamp_epoch},'SECOND')"
-#######################################################################
-# Default profile
-#######################################################################
-# This is the default profile. It is found in SQL by group membership.
-# That means that this profile must be a member of at least one group
-# which will contain the corresponding check and reply items.
-# This profile will be queried in the authorize section for every user.
-# The point is to assign all users a default profile without having to
-# manually add each one to a group that will contain the profile.
-# The SQL module will also honor the User-Profile attribute. This
-# attribute can be set anywhere in the authorize section (ie the users
-# file). It is found exactly as the default profile is found.
-# If it is set then it will *overwrite* the default profile setting.
-# The idea is to select profiles based on checks on the incoming packets,
-# not on user group membership. For example:
-# -- users file --
-# DEFAULT Service-Type == Outbound-User, User-Profile := "outbound"
-# DEFAULT Service-Type == Framed-User, User-Profile := "framed"
-#
-# By default the default_user_profile is not set
-#
-#default_user_profile = "DEFAULT"
-#
-# Determines if we will query the default_user_profile or the User-Profile
-# if the user is not found. If the profile is found then we consider the user
-# found. By default this is set to 'no'.
-#
-#query_on_not_found = no
-
#######################################################################
# Authorization Queries
#######################################################################
event_timestamp = "TO_TIMESTAMP(${event_timestamp_epoch})"
-#######################################################################
-# Default profile
-#######################################################################
-# This is the default profile. It is found in SQL by group membership.
-# That means that this profile must be a member of at least one group
-# which will contain the corresponding check and reply items.
-# This profile will be queried in the authorize section for every user.
-# The point is to assign all users a default profile without having to
-# manually add each one to a group that will contain the profile.
-# The SQL module will also honor the User-Profile attribute. This
-# attribute can be set anywhere in the authorize section (ie the users
-# file). It is found exactly as the default profile is found.
-# If it is set then it will *overwrite* the default profile setting.
-# The idea is to select profiles based on checks on the incoming
-# packets, not on user group membership. For example:
-# -- users file --
-# DEFAULT Service-Type == Outbound-User, User-Profile := "outbound"
-# DEFAULT Service-Type == Framed-User, User-Profile := "framed"
-#
-# By default the default_user_profile is not set
-#
-# default_user_profile = "DEFAULT"
-
#######################################################################
# Open Query
#######################################################################
# these variables differentiated in preparation for switching away from
# integer storage.
-#######################################################################
-# Default profile
-#######################################################################
-# This is the default profile. It is found in SQL by group membership.
-# That means that this profile must be a member of at least one group
-# which will contain the corresponding check and reply items.
-# This profile will be queried in the authorize section for every user.
-# The point is to assign all users a default profile without having to
-# manually add each one to a group that will contain the profile.
-# The SQL module will also honor the User-Profile attribute. This
-# attribute can be set anywhere in the authorize section (ie the users
-# file). It is found exactly as the default profile is found.
-# If it is set then it will *overwrite* the default profile setting.
-# The idea is to select profiles based on checks on the incoming packets,
-# not on user group membership. For example:
-# -- users file --
-# DEFAULT Service-Type == Outbound-User, User-Profile := "outbound"
-# DEFAULT Service-Type == Framed-User, User-Profile := "framed"
-#
-# By default the default_user_profile is not set
-#
-#default_user_profile = "DEFAULT"
-
#######################################################################
# Authorization Queries
#######################################################################
{ FR_CONF_OFFSET("password", FR_TYPE_STRING | FR_TYPE_SECRET, rlm_sql_config_t, sql_password), .dflt = "" },
{ FR_CONF_OFFSET("radius_db", FR_TYPE_STRING, rlm_sql_config_t, sql_db), .dflt = "radius" },
{ FR_CONF_OFFSET("read_groups", FR_TYPE_BOOL, rlm_sql_config_t, read_groups), .dflt = "yes" },
- { FR_CONF_OFFSET("read_profiles", FR_TYPE_BOOL, rlm_sql_config_t, read_profiles), .dflt = "yes" },
{ FR_CONF_OFFSET("sql_user_name", FR_TYPE_STRING | FR_TYPE_XLAT, rlm_sql_config_t, query_user), .dflt = "" },
{ FR_CONF_OFFSET("group_attribute", FR_TYPE_STRING, rlm_sql_config_t, group_attribute) },
{ FR_CONF_OFFSET("logfile", FR_TYPE_STRING | FR_TYPE_XLAT, rlm_sql_config_t, logfile) },
- { FR_CONF_OFFSET("default_user_profile", FR_TYPE_STRING, rlm_sql_config_t, default_profile), .dflt = "" },
{ FR_CONF_OFFSET("open_query", FR_TYPE_STRING, rlm_sql_config_t, connect_query) },
{ FR_CONF_OFFSET("authorize_check_query", FR_TYPE_STRING | FR_TYPE_XLAT | FR_TYPE_NOT_EMPTY, rlm_sql_config_t, authorize_check_query) },
static fr_dict_attr_t const *attr_fall_through;
static fr_dict_attr_t const *attr_sql_user_name;
-static fr_dict_attr_t const *attr_user_profile;
static fr_dict_attr_t const *attr_user_name;
static fr_dict_attr_t const *attr_expr_bool_enum;
fr_dict_attr_autoload_t rlm_sql_dict_attr[] = {
{ .out = &attr_fall_through, .name = "Fall-Through", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
{ .out = &attr_sql_user_name, .name = "SQL-User-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
- { .out = &attr_user_profile, .name = "User-Profile", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
{ .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_radius },
{ .out = &attr_expr_bool_enum, .name = "Expr-Bool-Enum", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
{ NULL }
fr_pair_list_t check_tmp;
fr_pair_list_t reply_tmp;
- fr_pair_t *user_profile = NULL;
bool user_found = false;
fr_assert(request->reply != NULL);
if (!inst->config.authorize_check_query && !inst->config.authorize_reply_query &&
- !inst->config.read_groups && !inst->config.read_profiles) {
+ !inst->config.read_groups) {
RWDEBUG("No authorization checks configured, returning noop");
RETURN_MODULE_NOOP;
}
/*
- * Neither group checks or profiles will work without
- * a group membership query.
+ * group checks require a group membership query.
*/
if (!inst->config.groupmemb_query) goto release;
}
}
- /*
- * Repeat the above process with the default profile or User-Profile
- */
- if ((do_fall_through == FALL_THROUGH_YES) ||
- (inst->config.read_profiles && (do_fall_through == FALL_THROUGH_DEFAULT))) {
- rlm_rcode_t ret;
- char const *profile;
-
- /*
- * Check for a default_profile or for a User-Profile.
- */
- RDEBUG3("... falling-through to profile processing");
- user_profile = fr_pair_find_by_da(&request->control_pairs, NULL, attr_user_profile);
-
- profile = user_profile ?
- user_profile->vp_strvalue :
- inst->config.default_profile;
-
- if (!profile || !*profile) goto release;
-
- RDEBUG2("Checking profile %s", profile);
-
- if (sql_set_user(inst, request, profile) < 0) {
- REDEBUG("Error setting profile");
- rcode = RLM_MODULE_FAIL;
- goto error;
- }
-
- rlm_sql_process_groups(&ret, inst, request, &handle, &do_fall_through);
- switch (ret) {
- /*
- * Nothing bad happened, continue...
- */
- case RLM_MODULE_UPDATED:
- rcode = RLM_MODULE_UPDATED;
- FALL_THROUGH;
-
- case RLM_MODULE_OK:
- if (rcode != RLM_MODULE_UPDATED) rcode = RLM_MODULE_OK;
- FALL_THROUGH;
-
- case RLM_MODULE_NOOP:
- user_found = true;
- break;
-
- case RLM_MODULE_NOTFOUND:
- break;
-
- default:
- rcode = ret;
- goto release;
- }
- }
-
/*
* At this point the key (user) hasn't be found in the check table, the reply table
- * or the group mapping table, and there was no matching profile.
+ * or the group mapping table.
*/
release:
if (!user_found) rcode = RLM_MODULE_NOTFOUND;
char const *group_attribute; //!< Name of the group attribute.
- char const *default_profile; //!< Default profile to use if no other
- //!< profiles were configured.
-
char const *authorize_check_query; //!< Query used get check VPs for a user.
char const *authorize_reply_query; //!< Query used get reply VPs for a user.
char const *authorize_group_check_query; //!< Query used get check VPs for a group.
//!< If false, Fall-Through = yes is required
//!< in the previous reply list to process
//!< groups.
- bool read_profiles; //!< Read user profiles by default.
- //!< If false, Fall-Through = yes is required
- //!< in the previous reply list to process
- //!< profiles.
char const *logfile; //!< Keep a log of all SQL queries executed
//!< Useful for batch insertion with the
//!< NULL drivers.
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
read_groups = yes
- read_profiles = yes
# Remove stale session if checkrad does not see a double login
delete_stale_sessions = yes
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
read_groups = yes
- read_profiles = yes
# Remove stale session if checkrad does not see a double login
delete_stale_sessions = yes
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
read_groups = yes
- read_profiles = yes
# Remove stale session if checkrad does not see a double login
delete_stale_sessions = yes
projects / thirdparty / freeradius-server.git / commitdiff
