multiple fields using the rlm_sql (tuple / foreach / eval / ...)

[jpereira]

Hi,

I have started the thread called "multiple fields from rlm_mysql" on the FreeRadius users list. And following the suggestion of Alan DeKok here we are.

My idea it's create a solution to be able to do something like:

query_arr "%{sql: SELECT field_a, field_b, field_c FROM tb_foobar WHERE field_a = '%{Value_A}'}"

And with the result saved in query_arr be able to transform in an array or do the concept of "eval" then will set the AVP based on the name of column-table. what do you think about the idea? if possible i would like to get more information about the ideas that was discussed between @alandekok and @arr2036 to thus be able to continue.

I believe that have many ways (possible solutions) to be done.

[arr2036]

The concept Alan and I discussed was to create mapping sections in the rlm_sql module. This is consistent with the ldap module, and couchbase.

In the sql module you would have something like:

sql {
    map {
        static_ip {
            Framed-Route := 'framedRoute'
            Framed-IP-Address := 'framedIPAddress'
            <radaddr> := '<sqlattr>'
        }
        multi {
            <radaddr> += '<sqlattr>'
        }
    }
}

Then in a virtual-server:

if ("%{static_ip:SELECT framedRoute, framedIpAddress FROM staticIps WHERE username = \"%{User-Name}\"" < 0) {
    reject # need static ip
}

Operators in the map sections work as they do in an update {} block, so if you want the result of multiple rows you'd use += instead.

In any case, for this to work we'd need the names of the columns, so one of these https://github.com/FreeRADIUS/freeradius-server/commit/25ecad94f749d783602d3775b6f9c72382ebc65a

Has to be defined for every driver.

[arr2036]

Alan and I just looked, and PG/MySQL are about as simple as sqlite... so i'll do those now.

[jpereira]

This solutions it's pretty. i'm working in the patch now.

[arr2036]

Ok, added mysql and postgres too.

https://github.com/FreeRADIUS/freeradius-server/commit/dead5fe0636af3b8745b4466c5ce72b604b24acf

If you could work on the drivers first, and let us know which ones you're fixing up, that'd be helpful.

[jpereira]

Come on @arr2036 ! you was so fast... I didn't have time to push my patch... :)

btw, my patch was saved here http://wifilabs.mobicare.com.br/patchs/freeradius-patch-rlm_sql-mysql-columns-names.patch

Thanks!

[arr2036]

We still need patches for db2, firebird, freetds, iodbc, oracle and unixodbc, and the mapping code needs to be written. So lets leave the issue open for now :)

[jpereira]

right! :+1:

I'll work in some example to be added on configuration. :)

[spaetow]

The mapping section gets my :+1:!

[jpereira]

@arr2036 I'm working for add the support to others sgdb. I believe finish soon.

[arr2036]

@jpereira Great! I'm about half way through the new xlat.

[arr2036]

Ok, code is in v3.1.x and works for sql_sqlite at least

(0)       map sql_sqlite SELECT * FROM radusergroup WHERE priority = 0 AND username = '%{User-Name}' {
(0)         EXPAND SELECT * FROM radusergroup WHERE priority = 0 AND username = '%{User-Name}'
(0)            --> SELECT * FROM radusergroup WHERE priority = 0 AND username = 'bob'
(0)         EXPAND %{User-Name}
(0)            --> bob
(0)         SQL-User-Name set to 'bob'
rlm_sql (sql_sqlite): Reserved connection (4)
(0)         Executing select query: SELECT * FROM radusergroup WHERE priority = 0 AND username = 'bob'
(0)         &control:Tmp-String-0 = 'bob'
(0)         &control:Tmp-String-1 = 'bar'
(0)         &control:Tmp-Integer-0 = 0
rlm_sql (sql_sqlite): Released connection (4)
(0)       } # map sql_sqlite SELECT * FROM radusergroup WHERE priority = 0 AND username = '%{User-Name}' = updated

[arr2036]

syntax ended up being

map <map proc isnt> <source> {
    <server attr0> <op0> <result attr0>
    <server attr1> <op1> <result attr1>
    <server attrN> <opN> <result attrN>
}

@jpereira did you make any progress with the other drivers?

[arr2036]

Ok, i'm going to close this issue, and start another one for tracking progress on the drivers.

[jpereira]

@arr2036 yes, I'll push today.

[arr2036]

Which ones did you complete?

[jpereira]

@arr2036 I'm having problems with 'make deb', do you have idea about that?

dpkg-buildpackage: host architecture amd64 dpkg-source --before-build freeradius-server debian/rules clean make[1]: Entering directory/home/jpereira/Devel/github-jpereira/freeradius-server' QUILT_PATCHES=debian/patches \ quilt --quiltrc /dev/null pop -a -R || test $? = 2 Patch radiusd-to-freeradius.diff does not remove cleanly (refresh it or enforce with -f) make[1]: *** [unpatch] Error 1 make[1]: Leaving directory /home/jpereira/Devel/github-jpereira/freeradius-server' have idea?

[arr2036]

there's a hidden file in the freeradius-server directory which holds the patch state git clean -fxd might do it.

[jpereira]

@arr2036 we are almost there! I hope to finish support for freetds and unixodbc tomorrow!

[viniciussotti]

How i use this feature with mysql on a policy?

[arr2036]

it's just

map <module> "<query>" {
    <attr> := <sql field>
}

[viniciussotti]

When i try to do this

map sql "SELECT username, password FROM users WHERE mac = '%{Calling-Station-ID}'" { User-Name := 'username' }

I got this error

Entry is not in "attribute = value" format

And i don´t know why

2016-02-08 19:46 GMT-02:00 Arran Cudbard-Bell notifications@github.com:

it's just

map "" {

:= } — Reply to this email directly or view it on GitHub https://github.com/FreeRADIUS/freeradius-server/issues/984#issuecomment-181569710 .

Vinicius Sotti ANALISTA DE SISTEMAS

Sotti | Desenvolvimento Web Fone (44) 9949-1009 e-Mail: vinicius@sotti.com.br

[arr2036]

Looks like you broke it over multiple lines? Can you paste the actual debug output.

[viniciussotti]

apparently gmail broke the line, this is the code

update request {
                map sql "SELECT username, password FROM `users` WHERE mac = '%{Calling-Station-ID}'" {
                        User-Name := 'username'
                }
}

and this is where the error appears in the radiusd -X

Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always

Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always

Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always

Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always

Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always

Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always

Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always

Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always

Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always

Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files

  reading file /usr/local/etc/raddb/mods-config/files/authorize
  reading file /usr/local/etc/raddb/mods-config/files/accounting
  reading file /usr/local/etc/raddb/mods-config/files/pre-proxy

Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter

  reading file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy

Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter

  reading file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy

Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter

  reading file /usr/local/etc/raddb/mods-config/attr_filter/access_reject

[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".

Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter

  reading file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge

Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter

  reading file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response

Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap

mschap: using internal authentication

Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration

Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess

  reading file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
  reading file /usr/local/etc/raddb/mods-config/preprocess/hints

Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm

Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm

Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm

Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm

Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd

Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap

cache_eap - Driver rlm_cache_rbtree loaded and linked

Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail

Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap

Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog

Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog

Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime

radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel Ignoring "ldap" (see raddb/mods-available/README.rst) } # server inner-tunnel server default { # from file /usr/local/etc/raddb/sites-enabled/default /usr/local/etc/raddb/sites-enabled/default[16]: Entry is not in "attribute = value" format /usr/local/etc/raddb/sites-enabled/default[12]: Errors parsing authorize section.

[arr2036]

Maps can't be located within update blocks

[arr2036]

This really isn't the place for support, if you have further questions you show post on the freeradius user's mailing list http://freeradius.org/list/users.html