Some notes on recent changes

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Some notes on recent changes

Alexander M. Pravking
First of all, I'd like to thank development team for great work done (I
didn't keep trace of FreeRADIUS for some time). So I have some bug
report (submitted to bugzilla) and some notes, hopefully useful for the
project.


The minimum-timeout of the rlm_logintime module is more likely to be a
global post-authorization configuration option, i.e. if it's set, always
check that Session-Timeout in reply of Access-Accept (if exists) is
greater than specified, else reject the user.


In doc/ChangeLog, virtual modules are mentioned, with a reference to
"modules" section of radiusd.conf. However, a note on them is in
"instantiate" section.


For rlm_exec, it could be useful to set environment variables for script
return codes, like
        char codestr[3];
        snprintf(codestr, 3, "%d", RLM_MODULE_OK);
        setenv("RLM_MODULE_OK", codestr, 1);
        ...
This may be done either after fork, or at module initialization, for the
radiusd process itself.


One may want to distinct zapped sessions from normally stopped ones.
It's not good to extend standard RADIUS attributes, but how about to
define a new value Acct-Terminate-Cause = Stale-Session and add it to
the fake stop request?

As an alternative, it might be a good idea to add an accounting_zap
"method" for modules...


In postgresql.conf, there are commented out authorize_check_query and
authorize_reply_query noted as "for case sensitive usernames". First,
that's wrong, they are for case-INsensitive searches. Second, for
PostgreSQL it's more efficient to use
        lower(UserName) = lower('%{SQL-User-Name}')
One using these queries might then want to build appropriate indices:
CREATE INDEX radcheck_lower_username_idx ON radcheck (lower(UserName));
CREATE INDEX radreply_lower_username_idx ON radreply (lower(UserName));
The same for authorize_group_{check,reply}_query.

I'd also recommend to replace most of VARCHAR(N) columns with TEXT in
PostgreSQL database schema unless there's a real necessity to restrict
their length at database level.

Finally, TIMESTAMP WITH TIME ZONE may be written as TIMESTAMPTZ, which
is much shorter ;) And there's no need to cast now() to timestamptz in
queries - that's what it already is.


--
Fduch M. Pravking
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
| Threaded
Open this post in threaded view
|

RE: Some notes on recent changes

pks-2
Sir,

Do you know of a good developer able to combine FreeRadius and FreeSide or
another OpenSource Billing module, combined with setting up all the credit
card and payment processing interfaces for a VoIP ISP operation?

PK

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of
Alexander M. Pravking
Sent: Tuesday, August 02, 2005 9:49 PM
To: [hidden email]
Subject: Some notes on recent changes

First of all, I'd like to thank development team for great work done (I
didn't keep trace of FreeRADIUS for some time). So I have some bug
report (submitted to bugzilla) and some notes, hopefully useful for the
project.


The minimum-timeout of the rlm_logintime module is more likely to be a
global post-authorization configuration option, i.e. if it's set, always
check that Session-Timeout in reply of Access-Accept (if exists) is
greater than specified, else reject the user.


In doc/ChangeLog, virtual modules are mentioned, with a reference to
"modules" section of radiusd.conf. However, a note on them is in
"instantiate" section.


For rlm_exec, it could be useful to set environment variables for script
return codes, like
        char codestr[3];
        snprintf(codestr, 3, "%d", RLM_MODULE_OK);
        setenv("RLM_MODULE_OK", codestr, 1);
        ...
This may be done either after fork, or at module initialization, for the
radiusd process itself.


One may want to distinct zapped sessions from normally stopped ones.
It's not good to extend standard RADIUS attributes, but how about to
define a new value Acct-Terminate-Cause = Stale-Session and add it to
the fake stop request?

As an alternative, it might be a good idea to add an accounting_zap
"method" for modules...


In postgresql.conf, there are commented out authorize_check_query and
authorize_reply_query noted as "for case sensitive usernames". First,
that's wrong, they are for case-INsensitive searches. Second, for
PostgreSQL it's more efficient to use
        lower(UserName) = lower('%{SQL-User-Name}')
One using these queries might then want to build appropriate indices:
CREATE INDEX radcheck_lower_username_idx ON radcheck (lower(UserName));
CREATE INDEX radreply_lower_username_idx ON radreply (lower(UserName));
The same for authorize_group_{check,reply}_query.

I'd also recommend to replace most of VARCHAR(N) columns with TEXT in
PostgreSQL database schema unless there's a real necessity to restrict
their length at database level.

Finally, TIMESTAMP WITH TIME ZONE may be written as TIMESTAMPTZ, which
is much shorter ;) And there's no need to cast now() to timestamptz in
queries - that's what it already is.


--
Fduch M. Pravking
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/devel.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html