5 The SQL module is composed of two parts: a generic SQL front-end
6 (rlm_sql), and a series of database-dependent back-end drivers,
7 (rlm_sql_mysql, rlm_sql_postgresql, etc.)
9 In order to build the drivers, you MUST ALSO install the development
10 versions of the database. That is, you must have the appropriate
11 header files and client libraries for (say) MySQL. The
12 rlm_sql_mysql driver is NOT a complete MySQL client implementation.
13 Instead, it is a small 'shim' between the FreeRADIUS rlm_sql module,
14 and the MySQL client libraries.
17 In general, the SQL schemas mirror the layout of the 'users' file.
18 So for configuring check items and reply items, see 'man 5 users',
19 and the examples in the 'users' file.
22 1. Miscellaneous configuration
24 The SQL module has little documentation, sorry. A helpful
27 http://www.frontios.com/freeradius.html
29 If anyone has comments on this (or other) documentation, PLEASE
30 email them to the freeradius-devel list, so that they may be included here.
35 One of the fields of the SQL schema is named 'op' This is for the
36 'operator' used by the attributes. e.g.:
38 Framed-IP-Address = 1.2.3.4
39 ^ ATTRIBUTE ----^ ^ OP ^ VALUE
41 If you want the server to be completely misconfigured, and to never
42 do what you want, leave the 'op' field blank. If you want to be
43 rudely told to RTFM, then post questions on the mailing list, asking
45 "why doesn't my SQL configuration work when I leave the 'op' field empty?"
48 The short answer is that with the op field empty, the server does
49 not know what you want it to do with the attribute. Should it be
50 added to the reply? Maybe you wanted to compare the operator to one
51 in the request? The server simply doesn't know.
53 So put a value in the field. The value is the string form of the
54 operator: "=", ">=", etc. See Section 4, below, for more details.
57 3. Authentication versus Authorization
59 Many people ask if they can "authenticate" users to their SQL
60 database. The answer to this question is "You're asking the wrong
63 An SQL database stores information. An SQL database is NOT an
64 authentication server. The ONLY users who should be able to
65 authenticate themselves to the database are the people who
66 administer it. Most administrators do NOT want every user to be
67 able to access the database, which means that most users will not be
68 able to "authenticate" themselves to the database.
70 Instead, the users will have their authorization information (name,
71 password, configuration) stored in the database. The configuration
72 files for FreeRADIUS contain a username and password used to
73 authenticate FreeRADIUS to the SQL server. (See raddb/sql.conf).
74 Once the FreeRADIUS authentication server is connected to the SQL
75 database server, then FreeRADIUS can pull user names and passwords
76 out of the database, and use that information to perform the
81 The list of operators is given below.
83 Op Example and documentation
84 -- -------------------------
88 Not allowed as a check item for RADIUS protocol attributes. It is
89 allowed for server configuration attributes (Auth-Type, etc), and sets
90 the value of on attribute, only if there is no other item of the
93 As a reply item, it means "add the item to the reply list, but
94 only if there is no other item of the same attribute."
97 := "Attribute := Value"
99 Always matches as a check item, and replaces in the
100 configuration items any attribute of the same name. If no
101 attribute of that name appears in the request, then this
104 As a reply item, it has an identical meaning, but for the
105 reply items, instead of the request items.
107 == "Attribute == Value"
109 As a check item, it matches if the named attribute is present
110 in the request, AND has the given value.
112 Not allowed as a reply item.
115 += "Attribute += Value"
117 Always matches as a check item, and adds the current attribute
118 with value to the list of configuration items.
120 As a reply item, it has an identical meaning, but the
121 attribute is added to the reply items.
124 != "Attribute != Value"
126 As a check item, matches if the given attribute is in the
127 request, AND does not have the given value.
129 Not allowed as a reply item.
132 > "Attribute > Value"
134 As a check item, it matches if the request contains an
135 attribute with a value greater than the one given.
137 Not allowed as a reply item.
140 >= "Attribute >= Value"
142 As a check item, it matches if the request contains an
143 attribute with a value greater than, or equal to the one
146 Not allowed as a reply item.
148 < "Attribute < Value"
150 As a check item, it matches if the request contains an
151 attribute with a value less than the one given.
153 Not allowed as a reply item.
156 <= "Attribute <= Value"
158 As a check item, it matches if the request contains an
159 attribute with a value less than, or equal to the one given.
161 Not allowed as a reply item.
164 =~ "Attribute =~ Expression"
166 As a check item, it matches if the request contains an
167 attribute which matches the given regular expression. This
168 operator may only be applied to string attributes.
170 Not allowed as a reply item.
173 !~ "Attribute !~ Expression"
175 As a check item, it matches if the request contains an
176 attribute which does not match the given regular expression.
177 This operator may only be applied to string attributes.
179 Not allowed as a reply item.
182 =* "Attribute =* Value"
184 As a check item, it matches if the request contains the named
185 attribute, no matter what the value is.
187 Not allowed as a reply item.
190 !* "Attribute !* Value"
192 As a check item, it matches if the request does not contain
193 the named attribute, no matter what the value is.
195 Not allowed as a reply item.