Subversion Repositories ALCASAR

Rev

Rev 2476 | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
1279 richard 1
# -*- text -*-
2
##
2438 richard 3
## query.conf -- MySQL configuration for default schema (schema.sql)
1279 richard 4
##
5
 
6
	# Safe characters list for sql queries. Everything else is replaced
7
	# with their mime-encoded equivalents.
2438 richard 8
	# The default list should be ok (define in 'expr' module
1279 richard 9
	#safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
10
 
11
	#######################################################################
12
	#  Query config:  Username
13
	#######################################################################
14
	# This is the username that will get substituted, escaped, and added
15
	# as attribute 'SQL-User-Name'.  '%{SQL-User-Name}' should be used below
16
	# everywhere a username substitution is needed so you you can be sure
17
	# the username passed from the client is escaped properly.
18
	#
19
	#  Uncomment the next line, if you want the sql_user_name to mean:
20
	#
21
	#    Use Stripped-User-Name, if it's there.
22
	#    Else use User-Name, if it's there,
23
	#    Else use hard-coded string "DEFAULT" as the user name.
24
	#sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"
25
	#
26
	sql_user_name = "%{User-Name}"
27
 
28
	#######################################################################
29
	#  Default profile
30
	#######################################################################
31
	# This is the default profile. It is found in SQL by group membership.
32
	# That means that this profile must be a member of at least one group
33
	# which will contain the corresponding check and reply items.
34
	# This profile will be queried in the authorize section for every user.
35
	# The point is to assign all users a default profile without having to
36
	# manually add each one to a group that will contain the profile.
37
	# The SQL module will also honor the User-Profile attribute. This
38
	# attribute can be set anywhere in the authorize section (ie the users
39
	# file). It is found exactly as the default profile is found.
40
	# If it is set then it will *overwrite* the default profile setting.
41
	# The idea is to select profiles based on checks on the incoming packets,
42
	# not on user group membership. For example:
43
	# -- users file --
44
	# DEFAULT	Service-Type == Outbound-User, User-Profile := "outbound"
45
	# DEFAULT	Service-Type == Framed-User, User-Profile := "framed"
46
	#
47
	# By default the default_user_profile is not set
48
	#
2706 tom.houday 49
	#default_user_profile = "DEFAULT"
1279 richard 50
 
51
	#######################################################################
52
	#  NAS Query
53
	#######################################################################
54
	#  This query retrieves the radius clients
55
	#
56
	#  0. Row ID (currently unused)
57
	#  1. Name (or IP address)
58
	#  2. Shortname
59
	#  3. Type
60
	#  4. Secret
61
	#######################################################################
62
 
2422 richard 63
	# nas_query = "SELECT id, nasname, shortname, type, secret FROM ${nas_table}"
1279 richard 64
 
65
	#######################################################################
66
	#  Authorization Queries
67
	#######################################################################
68
	#  These queries compare the check items for the user
69
	#  in ${authcheck_table} and setup the reply items in
70
	#  ${authreply_table}.  You can use any query/tables
71
	#  you want, but the return data for each row MUST
72
	#  be in the  following order:
73
	#
74
	#  0. Row ID (currently unused)
75
	#  1. UserName/GroupName
76
	#  2. Item Attr Name
77
	#  3. Item Attr Value
78
	#  4. Item Attr Operation
79
	#######################################################################
80
	# Use these for case sensitive usernames.
81
	authorize_check_query = "SELECT id, username, attribute, value, op \
82
         FROM ${authcheck_table} \
83
         WHERE username = BINARY '%{SQL-User-Name}' \
84
         ORDER BY id"
85
	authorize_reply_query = "SELECT id, username, attribute, value, op \
86
         FROM ${authreply_table} \
87
         WHERE username = BINARY '%{SQL-User-Name}' \
88
         ORDER BY id"
89
 
90
	# The default queries are case insensitive. (for compatibility with
91
	# older versions of FreeRADIUS)
92
#	authorize_check_query = "SELECT id, username, attribute, value, op \
93
#          FROM ${authcheck_table} \
94
#          WHERE username = '%{SQL-User-Name}' \
95
#          ORDER BY id"
96
#	authorize_reply_query = "SELECT id, username, attribute, value, op \
97
#          FROM ${authreply_table} \
98
#          WHERE username = '%{SQL-User-Name}' \
99
#          ORDER BY id"
100
 
101
	# Use these for case sensitive usernames.
2706 tom.houday 102
#	group_membership_query = "SELECT groupname \
103
#         FROM ${usergroup_table} \
104
#         WHERE username = BINARY '%{SQL-User-Name}' \
105
#         ORDER BY priority"
1279 richard 106
 
107
#	group_membership_query = "SELECT groupname \
108
#          FROM ${usergroup_table} \
109
#          WHERE username = '%{SQL-User-Name}' \
110
#          ORDER BY priority"
111
 
2706 tom.houday 112
	group_membership_query = "SELECT '%{SQL-User-Name}'"
1279 richard 113
 
2706 tom.houday 114
#	authorize_group_check_query = "SELECT id, groupname, attribute, \
115
#          Value, op \
116
#          FROM ${groupcheck_table} \
117
#          WHERE groupname = '%{Sql-Group}' \
118
#          ORDER BY id"
119
#	authorize_group_reply_query = "SELECT id, groupname, attribute, \
120
#          value, op \
121
#          FROM ${groupreply_table} \
122
#          WHERE groupname = '%{Sql-Group}' \
123
#          ORDER BY id"
124
	authorize_group_check_query = "SELECT id, '%{SQL-User-Name}', attribute, value, op FROM ( \
125
           ( SELECT id, attribute, value, op FROM ${groupcheck_table} gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '%{SQL-User-Name}' ORDER BY ug.priority) UNION \
126
           ( SELECT id, attribute, value, op FROM ${groupcheck_table} WHERE groupname = '%{control:Tmp-String-0}') UNION \
127
           ( SELECT id, attribute, value, op FROM ${groupcheck_table} WHERE groupname = 'default') \
128
         ) attrs GROUP BY attribute"
129
	authorize_group_reply_query = "SELECT id, '%{SQL-User-Name}', attribute, value, op FROM ( \
130
           ( SELECT id, attribute, value, op FROM ${groupreply_table} gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '%{SQL-User-Name}' ORDER BY ug.priority) UNION \
131
           ( SELECT id, attribute, value, op FROM ${groupreply_table} WHERE groupname = '%{control:Tmp-String-0}') UNION \
132
           ( SELECT id, attribute, value, op FROM ${groupreply_table} WHERE groupname = 'default') \
133
         ) attrs GROUP BY attribute"
134
 
1279 richard 135
	#######################################################################
136
	#  Accounting Queries
137
	#######################################################################
138
	# accounting_onoff_query	- query for Accounting On/Off packets
139
	# accounting_update_query	- query for Accounting update packets
140
	# accounting_update_query_alt	- query for Accounting update packets
141
	#                               (alternate in case first query fails)
142
	# accounting_start_query	- query for Accounting start packets
143
	# accounting_start_query_alt	- query for Accounting start packets
144
	#                               (alternate in case first query fails)
145
	# accounting_stop_query		- query for Accounting stop packets
146
	# accounting_stop_query_alt	- query for Accounting start packets
147
	#                               (alternate in case first query doesn't
148
	#                                affect any existing rows in the table)
149
	#######################################################################
150
	accounting_onoff_query = "\
151
          UPDATE ${acct_table1} \
152
          SET \
153
             acctstoptime       =  '%S', \
154
             acctsessiontime    =  unix_timestamp('%S') - \
155
                                   unix_timestamp(acctstarttime), \
156
             acctterminatecause =  '%{Acct-Terminate-Cause}', \
157
             acctstopdelay      =  %{%{Acct-Delay-Time}:-0} \
158
          WHERE acctstoptime IS NULL \
159
          AND nasipaddress      =  '%{NAS-IP-Address}' \
160
          AND acctstarttime     <= '%S'"
161
 
162
	accounting_update_query = " \
163
          UPDATE ${acct_table1} \
164
          SET \
165
             framedipaddress = '%{Framed-IP-Address}', \
166
             acctsessiontime     = '%{Acct-Session-Time}', \
167
             acctinputoctets     = '%{%{Acct-Input-Gigawords}:-0}'  << 32 | \
168
                                   '%{%{Acct-Input-Octets}:-0}', \
169
             acctoutputoctets    = '%{%{Acct-Output-Gigawords}:-0}' << 32 | \
170
                                   '%{%{Acct-Output-Octets}:-0}' \
171
          WHERE acctsessionid = '%{Acct-Session-Id}' \
2476 tom.houday 172
          AND username        = BINARY '%{SQL-User-Name}' \
1279 richard 173
          AND nasipaddress    = '%{NAS-IP-Address}'"
174
 
175
        accounting_update_query_alt = " \
176
          INSERT INTO ${acct_table1} \
177
            (acctsessionid,    acctuniqueid,      username, \
178
             realm,            nasipaddress,      nasportid, \
179
             nasporttype,      acctstarttime,     acctsessiontime, \
180
             acctauthentic,    connectinfo_start, acctinputoctets, \
181
             acctoutputoctets, calledstationid,   callingstationid, \
182
             servicetype,      framedprotocol,    framedipaddress, \
183
             acctstartdelay,   xascendsessionsvrkey) \
184
          VALUES \
185
            ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \
2476 tom.houday 186
             BINARY '%{SQL-User-Name}', \
1279 richard 187
             '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', \
188
             '%{NAS-Port-Type}', \
189
             DATE_SUB('%S', \
190
                      INTERVAL (%{%{Acct-Session-Time}:-0} + \
191
                                %{%{Acct-Delay-Time}:-0}) SECOND), \
192
                      '%{Acct-Session-Time}', \
193
             '%{Acct-Authentic}', '', \
194
             '%{%{Acct-Input-Gigawords}:-0}' << 32 | \
195
             '%{%{Acct-Input-Octets}:-0}', \
196
             '%{%{Acct-Output-Gigawords}:-0}' << 32 | \
197
             '%{%{Acct-Output-Octets}:-0}', \
198
             '%{Called-Station-Id}', '%{Calling-Station-Id}', \
199
             '%{Service-Type}', '%{Framed-Protocol}', \
200
             '%{Framed-IP-Address}', \
201
             '0', '%{X-Ascend-Session-Svr-Key}')"
202
 
203
	accounting_start_query = " \
204
          INSERT INTO ${acct_table1} \
205
            (acctsessionid,    acctuniqueid,     username, \
206
             realm,            nasipaddress,     nasportid, \
207
             nasporttype,      acctstarttime,    acctstoptime, \
208
             acctsessiontime,  acctauthentic,    connectinfo_start, \
209
             connectinfo_stop, acctinputoctets,  acctoutputoctets, \
210
             calledstationid,  callingstationid, acctterminatecause, \
211
             servicetype,      framedprotocol,   framedipaddress, \
212
             acctstartdelay,   acctstopdelay,    xascendsessionsvrkey) \
213
          VALUES \
214
            ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \
2476 tom.houday 215
             BINARY '%{SQL-User-Name}', \
1279 richard 216
             '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', \
217
             '%{NAS-Port-Type}', '%S', NULL, \
218
             '0', '%{Acct-Authentic}', '%{Connect-Info}', \
219
             '', '0', '0', \
220
             '%{Called-Station-Id}', '%{Calling-Station-Id}', '', \
221
             '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', \
222
             '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
223
 
224
	accounting_start_query_alt  = " \
225
          UPDATE ${acct_table1} SET \
226
             acctstarttime     = '%S', \
227
             acctstartdelay    = '%{%{Acct-Delay-Time}:-0}', \
228
             connectinfo_start = '%{Connect-Info}' \
229
          WHERE acctsessionid  = '%{Acct-Session-Id}' \
2476 tom.houday 230
          AND username         = BINARY '%{SQL-User-Name}' \
1279 richard 231
          AND nasipaddress     = '%{NAS-IP-Address}'"
232
 
233
	accounting_stop_query = " \
234
          UPDATE ${acct_table2} SET \
235
             acctstoptime       = '%S', \
236
             acctsessiontime    = '%{Acct-Session-Time}', \
237
             acctinputoctets    = '%{%{Acct-Input-Gigawords}:-0}' << 32 | \
238
                                  '%{%{Acct-Input-Octets}:-0}', \
239
             acctoutputoctets   = '%{%{Acct-Output-Gigawords}:-0}' << 32 | \
240
                                  '%{%{Acct-Output-Octets}:-0}', \
241
             acctterminatecause = '%{Acct-Terminate-Cause}', \
242
             acctstopdelay      = '%{%{Acct-Delay-Time}:-0}', \
243
             connectinfo_stop   = '%{Connect-Info}' \
244
          WHERE acctsessionid   = '%{Acct-Session-Id}' \
2476 tom.houday 245
          AND username          = BINARY '%{SQL-User-Name}' \
1279 richard 246
          AND nasipaddress      = '%{NAS-IP-Address}'"
247
 
248
	accounting_stop_query_alt = " \
249
          INSERT INTO ${acct_table2} \
250
            (acctsessionid, acctuniqueid, username, \
251
             realm, nasipaddress, nasportid, \
252
             nasporttype, acctstarttime, acctstoptime, \
253
             acctsessiontime, acctauthentic, connectinfo_start, \
254
             connectinfo_stop, acctinputoctets, acctoutputoctets, \
255
             calledstationid, callingstationid, acctterminatecause, \
256
             servicetype, framedprotocol, framedipaddress, \
257
             acctstartdelay, acctstopdelay) \
258
          VALUES \
259
            ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \
2476 tom.houday 260
             BINARY '%{SQL-User-Name}', \
1279 richard 261
             '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', \
262
             '%{NAS-Port-Type}', \
263
             DATE_SUB('%S', \
264
                 INTERVAL (%{%{Acct-Session-Time}:-0} + \
265
                 %{%{Acct-Delay-Time}:-0}) SECOND), \
266
             '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', \
267
             '%{Connect-Info}', \
268
             '%{%{Acct-Input-Gigawords}:-0}' << 32 | \
269
             '%{%{Acct-Input-Octets}:-0}', \
270
             '%{%{Acct-Output-Gigawords}:-0}' << 32 | \
271
             '%{%{Acct-Output-Octets}:-0}', \
272
             '%{Called-Station-Id}', '%{Calling-Station-Id}', \
273
             '%{Acct-Terminate-Cause}', \
274
             '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', \
275
             '0', '%{%{Acct-Delay-Time}:-0}')"
2438 richard 276
# We add the following patch (freeradius V2 to V3) in order ALCASAR works
277
# be carefull : 'tolower' need now the 'expr' module
278
accounting {
279
	reference = "%{tolower:type.%{Acct-Status-Type}.query}"
280
	type {
281
		accounting-on {
282
			query = "${....accounting_onoff_query}"
283
		}
284
		accounting-off {
285
			query = "${....accounting_onoff_query}"
286
		}
287
		start {
288
			query = "${....accounting_start_query}"
289
			query = "${....accounting_start_query_alt}"
290
		}
291
		interim-update {
292
			query = "${....accounting_update_query}"
293
			query = "${....accounting_update_query_alt}"
294
		}
295
		stop {
296
			query = "${....accounting_stop_query}"
297
			query = "${....accounting_stop_query_alt}"
298
		}
299
	}
300
}
1279 richard 301
	#######################################################################
302
	# Simultaneous Use Checking Queries
303
	#######################################################################
304
	# simul_count_query	- query for the number of current connections
305
	#			- If this is not defined, no simultaneouls use checking
306
	#			- will be performed by this module instance
307
	# simul_verify_query	- query to return details of current connections for verification
308
	#			- Leave blank or commented out to disable verification step
309
	#			- Note that the returned field order should not be changed.
310
	#######################################################################
311
 
312
	# Uncomment simul_count_query to enable simultaneous use checking
313
	simul_count_query = "SELECT COUNT(*) \
314
                             FROM ${acct_table1} \
2476 tom.houday 315
                             WHERE username = BINARY '%{SQL-User-Name}' \
1279 richard 316
                             AND acctstoptime IS NULL"
317
 
318
	#simul_verify_query  = "SELECT radacctid, acctsessionid, username, \
319
                               #nasipaddress, nasportid, framedipaddress, \
320
                               #callingstationid, framedprotocol \
321
                               #FROM ${acct_table1} \
322
                               #WHERE username = '%{SQL-User-Name}' \
323
                               #AND acctstoptime IS NULL"
324
 
325
	#######################################################################
326
	# Authentication Logging Queries
327
	#######################################################################
328
	# postauth_query		- Insert some info after authentication
329
	#######################################################################
330
#                          (username, pass, reply, authdate) \
331
#                          '%{%{User-Password}:-%{Chap-Password}}', \
332
 
333
	postauth_query = "INSERT INTO ${postauth_table} \
334
                          (username, reply, authdate) \
335
                          VALUES ( \
2476 tom.houday 336
                          BINARY '%{User-Name}', \
1279 richard 337
                          '%{reply:Packet-Type}', '%S')"
2438 richard 338
# We add the following patch (freeradius V2 to V3) in order ALCASAR works
339
post-auth {
340
	query = "${..postauth_query}"
341
}