X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=doc%2Frlm_sql;h=0f066603c9829d6611e30d40edf79c800c569ffe;hb=HEAD;hp=c3e39db25a599948449dac3c9ca80c19ee640039;hpb=6a5d3d4a0c438d06bdf8f4c6ff741f598c441147;p=freeradius.git

diff --git a/doc/rlm_sql b/doc/rlm_sql
index c3e39db..0f06660 100644
--- a/doc/rlm_sql
+++ b/doc/rlm_sql
@@ -21,6 +21,9 @@
 
 1. Schema and usage
 
+  The schemas are available in raddb/sql/<DB>/*, where <DB> is the
+  name of the database (mysql, postgresql, etc.)
+
   The SQL module employs two sets of check and reply item tables for
   processing in the authorization stage.  One set of tables (radcheck and
   radreply) are specific to a single user.  The other set of tables
@@ -39,6 +42,8 @@
      a. The user IS NOT found in radcheck
      b. The user IS found in radcheck, but the check items don't match
      c. The user IS found in radcheck, the check items DO match AND
+        Fall-Through is set in the radreply table
+     d. The user IS found in radcheck, the check items DO match AND
 	the read_groups directive is set to 'yes'
   4. If groups are to be processed for this user, the first thing that is
      done is the list of groups this user is a member of is pulled from the
@@ -51,18 +56,33 @@
      there is a match, the reply items for this group are pulled from the
      radgroupreply table and applied.
   6. Processing continues to the next group IF:
-     a. There was not a match for the last group's check items
+     a. There was not a match for the last group's check items OR
+     b. Fall-Through was set in the last group's reply items
      (The above is exactly the same as in the users file)
   7. Finally, if the user has a User-Profile attribute set or the Default
      Profile option is set in the sql.conf, then steps 4-6 are repeated for
      the groups that the profile is a member of.
 
-  A web page with some helpful documentation is:
+  For any fairly complex setup, it is likely that most of the actual
+  processing will be done in the groups.  In these cases, the user entry in
+  radcheck will be of limited use except for things like setting the user's
+  password.  So, one might have the following setup:
+
+  radcheck table:
+  joeuser        Cleartext-Password      :=       somepassword
+
+  radreply table:
+  joeuser        Fall-Through       =        Yes
 
-	http://www.frontios.com/freeradius.html
+  radgroupcheck table:
+  Check items for various connection scenarios
 
-  NOTE: this page may be slightly out of date when dealing with the database
-        schema
+  radgroupreply table:
+  reply items for the groups
+
+  usergroup table:
+  joeuser      WLANgroup    1(this is the priority)
+  joeuser      PPPgroup     2
 
 
 2. What NOT to do.
@@ -261,4 +281,3 @@
     sql_instance2
     ...
   }
-