SQL Module 0. Introduction The SQL module is composed of two parts: a generic SQL front-end (rlm_sql), and a series of database-dependent back-end drivers, (rlm_sql_mysql, rlm_sql_postgresql, etc.) In order to build the drivers, you MUST ALSO install the development versions of the database. That is, you must have the appropriate header files and client libraries for (say) MySQL. The rlm_sql_mysql driver is NOT a complete MySQL client implementation. Instead, it is a small 'shim' between the FreeRADIUS rlm_sql module, and the MySQL client libraries. In general, the SQL schemas mirror the layout of the 'users' file. So for configuring check items and reply items, see 'man 5 users', and the examples in the 'users' file. 1. Miscellaneous configuration The SQL module has little documentation, sorry. A helpful (but old) web page is: http://www.frontios.com/freeradius.html but it hasn't been updated in over 6 months. If anyone has comments on this (or other) documentation, PLEASE email them to the freeradius-devel list, so that they may be included here. 2. What NOT to do. One of the fields of the SQL schema is named 'op' This is for the 'operator' used by the attributes. e.g.: Framed-IP-Address = 1.2.3.4 ^ ATTRIBUTE ----^ ^ OP ^ VALUE If you want the server to be completely misconfigured, and to never do what you want, leave the 'op' field blank. If you want to be rudely told to RTFM, then post questions on the mailing list, asking "why doesn't my SQL configuration work when I leave the 'op' field empty?" The short answer is that with the op field empty, the server does not know what you want it to do with the attribute. Should it be added to the reply? Maybe you wanted to compare the operator to one in the request? The server simply doesn't know. So put a value in the field. The value is the string form of the operator: "=", ">=", etc. See Section 3, below, for more details. 3. Operators The list of operators is given below. Op Example and documentation -- ------------------------- = "Attribute = Value" Not allowed as a check item. As a reply item, it means "add the item to the reply list, but only if there is no other item of the same attribute." := "Attribute := Value" Always matches as a check item, and replaces in the configuration items any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added. As a reply item, it has an identical meaning, but for the reply items, instead of the request items. == "Attribute == Value" As a check item, it matches if the named attribute is present in the request, AND has the given value. Not allowed as a reply item. += "Attribute += Value" Always matches as a check item, and adds the current attribute with value to the list of configuration items. As a reply item, it has an identical meaning, but the attribute is added to the reply items. != "Attribute != Value" As a check item, matches if the given attribute is in the request, AND does not have the given value. Not allowed as a reply item. > "Attribute > Value" As a check item, it matches if the request contains an attribute with a value greater than the one given. Not allowed as a reply item. >= "Attribute >= Value" As a check item, it matches if the request contains an attribute with a value greater than, or equal to the one given. Not allowed as a reply item. < "Attribute < Value" As a check item, it matches if the request contains an attribute with a value less than the one given. Not allowed as a reply item. <= "Attribute <= Value" As a check item, it matches if the request contains an attribute with a value less than, or equal to the one given. Not allowed as a reply item. =~ "Attribute =~ Expression" As a check item, it matches if the request contains an attribute which matches the given regular expression. This operator may only be applied to string attributes. Not allowed as a reply item. !~ "Attribute !~ Expression" As a check item, it matches if the request contains an attribute which does not match the given regular expression. This operator may only be applied to string attributes. Not allowed as a reply item. =* "Attribute =* Value" As a check item, it matches if the request contains the named attribute, no matter what the value is. Not allowed as a reply item. !* "Attribute !* Value" As a check item, it matches if the request does not contain the named attribute, no matter what the value is. Not allowed as a reply item.