I have
FreeRADIUS Version 3.0.21 and I am trying to authenticate users using External Php script , the script is working fine ,
my problem it is not insert in radpostauth table after getting reject from the script , this is the debug mode when I get reject user
0) Received Access-Request Id 71 from 127.0.0.1:47913 to 127.0.0.1:1812 length 100
(0) User-Name = "Aboserifaban"
(0) User-Password = "123456"
(0) Calling-Station-Id = "4e:f9:5e:77:0c:9a"
(0) NAS-Port = 102
(0) NAS-IP-Address = 103.200.57.138
(0) Framed-Protocol = PPP
(0) Framed-IP-Address = 192.168.0.1
(0) NAS-Identifier = "nas"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "#"
(0) suffix: No '#' in User-Name = "Aboserifaban", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 48
(0) files: EXPAND /usr/bin/php /var/www/html/cloudradius/captiveportal/auth_new.php "%{User-Name}" "%{User-Password}" "%{Calling-Station-Id}" "%{NAS-Port-Id}" "%{NAS-IP-Address}" "%{Framed-Protocol}" "%{Framed-IP-Address}"
(0) files: --> /usr/bin/php /var/www/html/cloudradius/captiveportal/auth_new.php "Aboserifaban" "123456" "4e:f9:5e:77:0c:9a" "" "103.200.57.138" "PPP" "192.168.0.1"
(0) [files] = ok
(0) sql: EXPAND %{User-Name}
(0) sql: --> Aboserifaban
(0) sql: SQL-User-Name set to 'Aboserifaban'
rlm_sql (sql): Reserved connection (0)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'Aboserifaban' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'Aboserifaban' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "123456"
(0) sql: Simultaneous-Use := 1
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'Aboserifaban' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'Aboserifaban' ORDER BY id
rlm_sql (sql): Reserved connection (1)
rlm_sql (sql): Released connection (1)
Need 6 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'cloudradius' on Localhost via UNIX socket, server version 5.5.65-MariaDB, protocol version 10
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'Aboserifaban' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'Aboserifaban' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
(0) [sql] = ok
(0) if (User-Name =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) {
(0) if (User-Name =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> FALSE
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
(0) # Executing section session from file /usr/local/etc/raddb/sites-enabled/default
(0) session {
(0) sql: EXPAND %{User-Name}
(0) sql: --> Aboserifaban
(0) sql: SQL-User-Name set to 'Aboserifaban'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'Aboserifaban' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'Aboserifaban' AND acctstoptime IS NULL
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) } # session = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0) post-auth {
(0) exec: Executing: /usr/bin/php /var/www/html/cloudradius/captiveportal/auth_new.php "Aboserifaban" "123456" "4e:f9:5e:77:0c:9a" "" "103.200.57.138" "PPP" "192.168.0.1":
(0) exec: ERROR: Program returned code (1) and output 'Reply-Message := "Your Account has been expired."'
(0) [exec] = reject
(0) } # post-auth = reject
(0) Delaying response for 1.000000 seconds
Waking up in 0.1 seconds.
Waking up in 0.7 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 71 from 127.0.0.1:1812 to 127.0.0.1:47913 length 52
(0) Reply-Message := "Your Account has been expired."
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 71 with timestamp +3
Ready to process requests
as you see above it rejected the user but it seems the SQL module not running ,
this is my configuration in POST-Auth section in default file
post-auth {
exec
sql
Post-Auth-Type REJECT {
update reply {
Reply-Message = "Rejected: invalid username or password..!"
}
# log failed authentications in SQL, too.
exec
sql
}
}
when I stop exec in Post-auth section and it is working fine and it insert the result in radpostauth table
Please help me to fix this issue
Thanks in Advance
Best Regards
I believe, you should keep the filter in Post-auth-type Reject section. That should do your job.
Related
I cannot query following measurements from _internal database of InfluxDB using Influxql:
database
write
shard
See results for following commands:
> show databases
name: databases
name
----
_internal
>use _internal
> show measurements
name: measurements
name
----
cq
database
httpd
queryExecutor
runtime
shard
subscriber
tsm1_cache
tsm1_engine
tsm1_filestore
tsm1_wal
write
> select * from database limit 1;
ERR: error parsing query: found fron, expected FROM at line 1, char 10
> select * from write limit 1;
ERR: error parsing query: found WRITE, expected identifier at line 1, char 15
> select * from shard limit 1;
ERR: error parsing query: found SHARD, expected identifier at line 1, char 15
But I can successfully query some other measurements
> select * from queryExecutor limit 1;
name: queryExecutor
time hostname queriesActive queriesExecuted queriesFinished queryDurationNs recoveredPanics
---- -------- ------------- --------------- --------------- --------------- ---------------
1559923260000000000 localhost.localdomain 0 0 0 0 0
How can I query/extract data from _internal database of InfluxDB across all measurements availbale?
um,,,, it's too late... but I'm find a way
In some cases, an expanded identifier error occurs if one of the queries' identifiers is an InfluxQL keyword.To successfully query an identifier that is also a keyword, tie the identifier to a large quote.
select * from "database"
I tried to view apache kylin data with apache superset by an official blog guide, but I met the following error when click "visualize" button after query out result table. I have upgraded kylinpy to latest version. I know the correct sql should be "WHERE MONTH_BEG_DT >= '1918-03-12' AND MONTH_BEG_DT <= '2018-03-12'", but it is generated by superset auto.
Caused by: java.lang.NumberFormatException: For input string: "12 00:00:00"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.lang.Integer.parseInt(Integer.java:580)
at java.lang.Integer.parseInt(Integer.java:615)
at org.apache.calcite.avatica.util.DateTimeUtils.dateStringToUnixDate(DateTimeUtils.java:637)
at Baz$6$1.<clinit>(Unknown Source)
... 99 more
2018-03-12 18:13:12,606 INFO [Query eb988c1e-5f6c-4275-a9b8-1946f5976020-60] service.QueryService:328 :
==========================[QUERY]===============================
Query Id: eb988c1e-5f6c-4275-a9b8-1946f5976020
SQL: SELECT META_CATEG_NAME AS META_CATEG_NAME,
sum(CNT) AS sum__CNT
FROM
(select YEAR_BEG_DT,
MONTH_BEG_DT,
WEEK_BEG_DT,
META_CATEG_NAME,
CATEG_LVL2_NAME,
CATEG_LVL3_NAME,
OPS_REGION,
NAME as BUYER_COUNTRY_NAME,
sum(PRICE) as GMV,
sum(ACCOUNT_BUYER_LEVEL) ACCOUNT_BUYER_LEVEL,
count(*) as CNT
from KYLIN_SALES
join KYLIN_CAL_DT on CAL_DT = PART_DT
join KYLIN_CATEGORY_GROUPINGS on SITE_ID = LSTG_SITE_ID
and KYLIN_CATEGORY_GROUPINGS.LEAF_CATEG_ID = KYLIN_SALES.LEAF_CATEG_ID
join KYLIN_ACCOUNT on ACCOUNT_ID = BUYER_ID
join KYLIN_COUNTRY on ACCOUNT_COUNTRY = COUNTRY
group by YEAR_BEG_DT,
MONTH_BEG_DT,
WEEK_BEG_DT,
META_CATEG_NAME,
CATEG_LVL2_NAME,
CATEG_LVL3_NAME,
OPS_REGION,
NAME) AS expr_qry
WHERE MONTH_BEG_DT >= '1918-03-12 00:00:00'
AND MONTH_BEG_DT <= '2018-03-12 18:13:11'
GROUP BY META_CATEG_NAME
ORDER BY sum__CNT DESC
LIMIT 5000
User: ADMIN
Success: true
Duration: 1.313
Project: learn_kylin
Realization Names: [CUBE[name=kylin_sales_cube]]
Cuboid Ids: [23715]
Total scan count: 9946
Total scan bytes: 556263
Result row count: 0
Accept Partial: true
Is Partial Result: false
Hit Exception Cache: false
Storage cache used: false
Is Query Push-Down: false
Is Prepare: false
Trace URL: null
Message: null
==========================[QUERY]===============================
Please check column(dimension) type in superset, make sure the type is DATA, and then please make sure kylinpy version is above 1.0.9.
I'm new to Freeradius. My NAS is StrongSwan and seems to be supporting CoA.
I also have the sql accounting mod enabled, which allows me to count the octets.
There are many tutorials about how to count the session time of a user and action a session-timeout once the time is over. But virtually there is nothing I could find that explains how to count the user's data usage and disconnect him after let say 100 KB of monthly usage.
vim /etc/freeradius/mods-enabled/sqlcounter
sqlcounter totaldatacounter {
sql_module_instance = sql
dialect = ${modules.sql.dialect}
counter_name = Max-Capacity
check_name = Acct-Output-Octets
reply_name = Session-Timeout
key = User-Name
reset = monthly
query = "SELECT ((SUM(`acctinputoctets`)+SUM(`acctoutputoctets`))) FROM radacct WHERE `username`='%{${key}}' AND Month(acctstoptime)=(Month(NOW())) AND Year(acctstoptime)=Year(NOW())"
}
When I run the query above for the given user I get the following data usage: 76827648
This is more than my limit of 100000 set in radcheck table:
INSERT INTO `radcheck` (`id`, `username`, `attribute`, `op`, `value`)
VALUES
(3, '0799a559-1426-478a-b46a-a33f1198cd24', 'Acct-Output-Octets', ':=', '100000');
So why am still able to connect?
I have a pastebin here of the freeradius -X logfile.
If I try to execute
create table TEST(testColumn VARCHAR(255));
grant insert on TEST to test_user;
revoke insert on TEST from test_user;
I get the following error message (translated from German by myself):
1) [REVOKE - 0 row(s), 0.000 secs] [Error Code: -580, SQL State: IX000]
Could not detract access rights.
2) [Error Code: -111, SQL State: IX000] ISAM-Error: No data record was found.
(English version of error -580: Cannot revoke permission.)
Do you have any idea what is going on here?
All the statements are issued with the same user?
Usually this happens when trying to revoke a table-level privilege that your account name did not grant.
To find the correct grantee use:
SELECT a.grantee, a.grantor
FROM systabauth a, systables t
WHERE a.tabid = t.tabid
AND UPPER(t.tabname) = 'TEST';
Then it's possible to issue:
REVOKE INSERT ON TEST FROM 'test_user' AS '<GRANTEE>';
The other possibility that I didn’t mention, but #chris311 figure it out, is that you cannot revoke privileges from yourself.
What is happening “behind it”, take the next example, a database named chris311, owned by chris, bear in mind that I'm using the informix user:
[infx1210#tardis ~]$ id
uid=501(informix) gid=501(informix) groups=501(informix)
[infx1210#tardis ~]$ dbaccess chris311 -
Database selected.
> SELECT name, owner
> FROM sysmaster:sysdatabases
> WHERE name = DBINFO('dbname') ;
name chris311
owner chris
1 row(s) retrieved.
>
Both chris and informix have the DBA database-level privilege, and ricardo was granted the CONNECT privilege:
> SELECT username, usertype
> FROM sysusers;
username usertype
chris D
informix D
ricardo C
3 row(s) retrieved.
>
There is a table, tab1, owned by chris that ricardo was granted, by chris, the ALL table-level privilege:
> SELECT t.tabname, t.owner, a.grantee, a.tabauth, a.grantor
> FROM systabauth a, systables t
> WHERE a.tabid = t.tabid
> AND t.tabname= 'tab1';
tabname tab1
owner chris
grantee ricardo
tabauth su-idxar-
grantor chris
1 row(s) retrieved.
>
Then if informix whant's to revoke the INSERT privilege it must use the AS clause to specify chris as the revoker:
> REVOKE INSERT ON tab1 FROM ricardo;
580: Cannot revoke permission.
111: ISAM error: no record found.
Error in line 1
Near character position 33
> REVOKE INSERT ON tab1 FROM ricardo AS chris;
Permission revoked.
> SELECT t.tabname, t.owner, a.grantee, a.tabauth, a.grantor
> FROM systabauth a, systables t
> WHERE a.tabid = t.tabid
> AND t.tabname = 'tab1';
tabname tab1
owner chris
grantee ricardo
tabauth su--dxar-
grantor chris
1 row(s) retrieved.
>
If he tries to revoke the INSERT privilege from himself an error will return also:
> REVOKE INSERT ON tab1 FROM informix;
580: Cannot revoke permission.
111: ISAM error: no record found.
Error in line 1
Near character position 34
>
Now if we see the meaning of the 580 error we get:
[infx1210#tardis ~]$ finderr 580
-580 Cannot revoke permission.
This REVOKE statement cannot be carried out. Either it revokes a
database-level privilege, but you are not a Database Administrator in
this database, or it revokes a table-level privilege that your account
name did not grant. Review the privilege and the user names in the
statement to ensure that they are correct. To summarize the table-level
privileges you have granted, query systabauth as follows:
SELECT A.grantee, T.tabname FROM systabauth A, systables T
WHERE A.grantor = USER AND A.tabid = T.tabid
[infx1210#tardis ~]$
It doesn't says anything about revoking privileges from himself, but the documentations mentions it. Also, if we think about the 111: ISAM error: no record found. and associate it to the fact that the DBA doesn´t appear on the systabauth it makes sence, kind of.
The grants doesn´t return an error/warning because the DBA already have the privileges, the revoke returns it because the action didn't take effect.
Now let's take the DBA role from chris, let's do it twice:
> REVOKE DBA FROM chris;
Permission revoked.
> REVOKE DBA FROM chris;
Permission revoked.
> SELECT username, usertype
> FROM sysusers;
username usertype
chris C
informix D
ricardo C
3 row(s) retrieved.
> SELECT t.tabname, t.owner, a.grantee, a.tabauth, a.grantor
> FROM systabauth a, systables t
> WHERE a.tabid = t.tabid
> AND t.tabname= 'tab1';
tabname tab1
owner chris
grantee ricardo
tabauth su--dxar-
grantor chris
1 row(s) retrieved.
>
Again, the second REVOKE didn't return an error/warning because it was in effect. The user still doesn´t appear on the systabauth table.
But what table-level privileges it has?
[infx1210#tardis ~]$ dbaccess chris311 -
Database selected.
> INSERT INTO tab1 VALUES(1);
1 row(s) inserted.
> SELECT * FROM tab1;
col1
1
1 row(s) retrieved.
> DROP TABLE tab1;
Table dropped.
>
He isn't a DBA but he is the owner.
I've got a Rails find_by_sql method that works fine locally, in console and the statement also directly in Postgresql, but the statement causes an ActiveRecord::StatementInvalid error when i deploy it to Heroku.
I'm running Postgresql version 9.0.3 locally and using a shared db on Heroku on their Cedar stack.
The error i'm getting is:
PG::Error: ERROR: syntax error at or near "WITH normal_items" LINE 1: WITH normal_items AS (SELECT normal_items_month, count(id)... ^ : WITH normal_items AS (SELECT normal_items_month, count(id) as normal_items_total FROM (SELECT date_trunc('month',created_at) as normal_items_month, id from items WHERE items.a_foreign_key_id IS NULL) z group by normal_items_month), special_items AS (SELECT special_items_month, count(id) as special_items_total FROM (SELECT date_trunc('month',created_at) as special_items_month, id from items WHERE items.a_foreign_key_id IS NOT NULL) x group by special_items_month ) SELECT to_char(month, 'fmMon') as month, coalesce(normal_items_total, 0) as normal_items_total, coalesce(special_items_total, 0) as special_items_total FROM (select generate_series(min(normal_items_month), max(normal_items_month), '1 month'::interval) as month FROM normal_items) m LEFT OUTER JOIN normal_items ON normal_items_month = month LEFT OUTER JOIN special_items ON special_items_month = month
For readability the statement is:
WITH normal_items AS (SELECT normal_items_month, count(id) as normal_items_total
FROM (SELECT date_trunc('month',created_at) as normal_items_month, id from items
WHERE items.a_foreign_key_id IS NULL) z
group by normal_items_month),
special_items AS (SELECT special_items_month, count(id) as special_items_total
FROM (SELECT date_trunc('month',created_at) as special_items_month, id from items
WHERE items.a_foreign_key_id IS NOT NULL) x
group by special_items_month )
SELECT
to_char(month, 'fmMon') as month,
coalesce(normal_items_total, 0) as normal_items_total,
coalesce(special_items_total, 0) as special_items_total
FROM (select generate_series(min(normal_items_month), max(normal_items_month), '1 month'::interval) as month FROM normal_items) m
LEFT OUTER JOIN normal_items ON normal_items_month = month
LEFT OUTER JOIN special_items ON special_items_month = month
This just a provides me with some stats to use with Google Charts, the output is:
Jun 178 0
Jul 0 0
Aug 72 0
Sep 189 0
Oct 24 0
Nov 6 0
Dec 578 0
Jan 0 0
Feb 0 0
Mar 89 0
Apr 607 0
May 281 0
Jun 510 0
Jul 190 0
Aug 0 0
Sep 501 0
Oct 409 0
Nov 704 0
Heroku's shared plan runs PostgreSQL 8.3 which doesn't support WITH keyword (it was introduced in PostgreSQL 8.4).
If you upgrade to Heroku's dedicated database package, you'll be able to use PostgreSQL 9.1.
The default Heroku shared DB is Postgres 8.3 - you can use 9.1 in the public beta of the Shared DB plan - more details at https://postgres.heroku.com/blog/past/2012/4/26/heroku_postgres_development_plan/.
For production you can make use of the newly announced Crane plan at $50 per month https://postgres.heroku.com/blog/past/2012/4/26/heroku_postgres_development_plan/