remove default_user_profile, etc.

doc/antora/modules/howto/pages/modules/sql/index.adoc

@@ -69,12 +69,7 @@ Processing continues to the next group if any of the following conditions are me
 - There was not a match for the last group’s check items OR
 - Fall-Through was set in the last group’s reply items
 
-(The above is exactly the same as in the users file.)
-
-Finally, if the user has a User-Profile attribute set or the Default Profile
-configuration item is set for the sql module, then the above group
-processing steps are repeated for the groups that the profile is a member of.
-
+The above is exactly the same as in the `users` file.
 
 === Example with groups
 

doc/antora/modules/howto/pages/tuning/tuning_guide.adoc

@@ -14,7 +14,7 @@ slow down your accounting.
 * Use the users file to only set default profiles. Do not place any
 users there. Keep it as small as possible. Always set default attributes
 in the users file and don’t fill the user entries in ldap/sql with
-default values. In general the ldap/sql user profiles should contain
+default values. In general the ldap user profiles should contain
 user attributes only in special user cases.
 * Tune thread pool parameters to match your size requirements. Set
 `max_requests_per_server` to zero to avoid server thread restarts.

doc/antora/modules/installation/pages/upgrade.adoc

@@ -923,6 +923,11 @@ if (%sql.group(sales)) {
 
 will return `true`.
 
+==== Profiles
+
+The `default_user_profile` and the `User-Profile` attributes have been
+removed.  No one used them, as that behavior was already supported by the group functionality.
+
 ==== rlm_sql_mysql
 
 Now calls `mysql_real_escape_string` and no longer produces

doc/antora/modules/raddb/pages/mods-available/sql.adoc

@@ -146,15 +146,6 @@ Default is `yes`.
 
 
 
-read_profiles:: Read the profiles from the database.
-
-If set to `yes`, we read profiles unless `Fall-Through = no` in the groupreply table.
-If set to `no` we do not read profiles unless `Fall-Through = yes` in the groupreply table.
-
-Default is `yes`.
-
-
-
 logfile:: Write SQL queries to a logfile.
 
 This is potentially useful for tracing issues with authorization queries.
@@ -355,7 +346,6 @@ sql {
 	groupreply_table = "radgroupreply"
 	usergroup_table = "radusergroup"
 #	read_groups = yes
-#	read_profiles = yes
 #	logfile = ${logdir}/sqllog.sql
 #	query_timeout = 5
 	pool {

raddb/mods-available/sql

@@ -170,16 +170,6 @@ sql {
 	#
 #	read_groups = yes
 
-	#
-	#  read_profiles:: Read the profiles from the database.
-	#
-	#  If set to `yes`, we read profiles unless `Fall-Through = no` in the groupreply table.
-	#  If set to `no` we do not read profiles unless `Fall-Through = yes` in the groupreply table.
-	#
-	#  Default is `yes`.
-	#
-#	read_profiles = yes
-
 	#
 	#  logfile:: Write SQL queries to a logfile.
 	#

raddb/mods-config/sql/main/cassandra/queries.conf

@@ -56,29 +56,6 @@ event_timestamp_epoch = %{((integer) &Event-Timestamp) || %l}
 
 event_timestamp = "%{${event_timestamp_epoch} * 1000}"
 
-#######################################################################
-# Default profile
-#######################################################################
-# This is the default profile. It is found in SQL by group membership.
-# That means that this profile must be a member of at least one group
-# which will contain the corresponding check and reply items.
-# This profile will be queried in the authorize section for every user.
-# The point is to assign all users a default profile without having to
-# manually add each one to a group that will contain the profile.
-# The SQL module will also honor the User-Profile attribute. This
-# attribute can be set anywhere in the authorize section (ie the users
-# file). It is found exactly as the default profile is found.
-# If it is set then it will *overwrite* the default profile setting.
-# The idea is to select profiles based on checks on the incoming packets,
-# not on user group membership. For example:
-# -- users file --
-# DEFAULT	Service-Type == Outbound-User, User-Profile := "outbound"
-# DEFAULT	Service-Type == Framed-User, User-Profile := "framed"
-#
-# By default the default_user_profile is not set
-#
-#default_user_profile = "DEFAULT"
-
 #######################################################################
 # Authorization Queries
 #######################################################################

raddb/mods-config/sql/main/mysql/queries.conf

@@ -56,29 +56,6 @@ event_timestamp_epoch = %{((integer) &Event-Timestamp) || %l}
 
 event_timestamp = "FROM_UNIXTIME(${event_timestamp_epoch})"
 
-#######################################################################
-# Default profile
-#######################################################################
-# This is the default profile. It is found in SQL by group membership.
-# That means that this profile must be a member of at least one group
-# which will contain the corresponding check and reply items.
-# This profile will be queried in the authorize section for every user.
-# The point is to assign all users a default profile without having to
-# manually add each one to a group that will contain the profile.
-# The SQL module will also honor the User-Profile attribute. This
-# attribute can be set anywhere in the authorize section (ie the users
-# file). It is found exactly as the default profile is found.
-# If it is set then it will *overwrite* the default profile setting.
-# The idea is to select profiles based on checks on the incoming packets,
-# not on user group membership. For example:
-# -- users file --
-# DEFAULT	Service-Type == Outbound-User, User-Profile := "outbound"
-# DEFAULT	Service-Type == Framed-User, User-Profile := "framed"
-#
-# By default the default_user_profile is not set
-#
-#default_user_profile = "DEFAULT"
-
 #######################################################################
 # Authorization Queries
 #######################################################################

raddb/mods-config/sql/main/oracle/queries.conf

@@ -40,35 +40,6 @@ event_timestamp_epoch = %{((integer) &Event-Timestamp) || %l}
 
 event_timestamp = "TO_DATE('1970-01-01','YYYY-MM-DD') + NUMTODSINTERVAL(${event_timestamp_epoch},'SECOND')"
 
-#######################################################################
-#  Default profile
-#######################################################################
-# This is the default profile. It is found in SQL by group membership.
-# That means that this profile must be a member of at least one group
-# which will contain the corresponding check and reply items.
-# This profile will be queried in the authorize section for every user.
-# The point is to assign all users a default profile without having to
-# manually add each one to a group that will contain the profile.
-# The SQL module will also honor the User-Profile attribute. This
-# attribute can be set anywhere in the authorize section (ie the users
-# file). It is found exactly as the default profile is found.
-# If it is set then it will *overwrite* the default profile setting.
-# The idea is to select profiles based on checks on the incoming packets,
-# not on user group membership. For example:
-# -- users file --
-# DEFAULT	Service-Type == Outbound-User, User-Profile := "outbound"
-# DEFAULT	Service-Type == Framed-User, User-Profile := "framed"
-#
-# By default the default_user_profile is not set
-#
-#default_user_profile = "DEFAULT"
-#
-# Determines if we will query the default_user_profile or the User-Profile
-# if the user is not found. If the profile is found then we consider the user
-# found. By default this is set to 'no'.
-#
-#query_on_not_found = no
-
 #######################################################################
 #  Authorization Queries
 #######################################################################

raddb/mods-config/sql/main/postgresql/queries.conf

@@ -46,29 +46,6 @@ event_timestamp_epoch = %{((integer) &Event-Timestamp) || %l}
 
 event_timestamp = "TO_TIMESTAMP(${event_timestamp_epoch})"
 
-#######################################################################
-#  Default profile
-#######################################################################
-# This is the default profile. It is found in SQL by group membership.
-# That means that this profile must be a member of at least one group
-# which will contain the corresponding check and reply items.
-# This profile will be queried in the authorize section for every user.
-# The point is to assign all users a default profile without having to
-# manually add each one to a group that will contain the profile.
-# The SQL module will also honor the User-Profile attribute. This
-# attribute can be set anywhere in the authorize section (ie the users
-# file). It is found exactly as the default profile is found.
-# If it is set then it will *overwrite* the default profile setting.
-# The idea is to select profiles based on checks on the incoming
-# packets, not on user group membership. For example:
-# -- users file --
-# DEFAULT	Service-Type == Outbound-User, User-Profile := "outbound"
-# DEFAULT	Service-Type == Framed-User, User-Profile := "framed"
-#
-# By default the default_user_profile is not set
-#
-# default_user_profile = "DEFAULT"
-
 #######################################################################
 #  Open Query
 #######################################################################

raddb/mods-config/sql/main/sqlite/queries.conf

@@ -50,29 +50,6 @@ event_timestamp = "${event_timestamp_epoch}"
 # these variables differentiated in preparation for switching away from
 # integer storage.
 
-#######################################################################
-# Default profile
-#######################################################################
-# This is the default profile. It is found in SQL by group membership.
-# That means that this profile must be a member of at least one group
-# which will contain the corresponding check and reply items.
-# This profile will be queried in the authorize section for every user.
-# The point is to assign all users a default profile without having to
-# manually add each one to a group that will contain the profile.
-# The SQL module will also honor the User-Profile attribute. This
-# attribute can be set anywhere in the authorize section (ie the users
-# file). It is found exactly as the default profile is found.
-# If it is set then it will *overwrite* the default profile setting.
-# The idea is to select profiles based on checks on the incoming packets,
-# not on user group membership. For example:
-# -- users file --
-# DEFAULT	Service-Type == Outbound-User, User-Profile := "outbound"
-# DEFAULT	Service-Type == Framed-User, User-Profile := "framed"
-#
-# By default the default_user_profile is not set
-#
-#default_user_profile = "DEFAULT"
-
 #######################################################################
 # Authorization Queries
 #######################################################################

src/modules/rlm_sql/rlm_sql.c

@@ -91,11 +91,9 @@ static const CONF_PARSER module_config[] = {
 	{ FR_CONF_OFFSET("password", FR_TYPE_STRING | FR_TYPE_SECRET, rlm_sql_config_t, sql_password), .dflt = "" },
 	{ FR_CONF_OFFSET("radius_db", FR_TYPE_STRING, rlm_sql_config_t, sql_db), .dflt = "radius" },
 	{ FR_CONF_OFFSET("read_groups", FR_TYPE_BOOL, rlm_sql_config_t, read_groups), .dflt = "yes" },
-	{ FR_CONF_OFFSET("read_profiles", FR_TYPE_BOOL, rlm_sql_config_t, read_profiles), .dflt = "yes" },
 	{ FR_CONF_OFFSET("sql_user_name", FR_TYPE_STRING | FR_TYPE_XLAT, rlm_sql_config_t, query_user), .dflt = "" },
 	{ FR_CONF_OFFSET("group_attribute", FR_TYPE_STRING, rlm_sql_config_t, group_attribute) },
 	{ FR_CONF_OFFSET("logfile", FR_TYPE_STRING | FR_TYPE_XLAT, rlm_sql_config_t, logfile) },
-	{ FR_CONF_OFFSET("default_user_profile", FR_TYPE_STRING, rlm_sql_config_t, default_profile), .dflt = "" },
 	{ FR_CONF_OFFSET("open_query", FR_TYPE_STRING, rlm_sql_config_t, connect_query) },
 
 	{ FR_CONF_OFFSET("authorize_check_query", FR_TYPE_STRING | FR_TYPE_XLAT | FR_TYPE_NOT_EMPTY, rlm_sql_config_t, authorize_check_query) },
@@ -129,15 +127,13 @@ fr_dict_autoload_t rlm_sql_dict[] = {
 
 static fr_dict_attr_t const *attr_fall_through;
 static fr_dict_attr_t const *attr_sql_user_name;
-static fr_dict_attr_t const *attr_user_profile;
 static fr_dict_attr_t const *attr_user_name;
 static fr_dict_attr_t const *attr_expr_bool_enum;
 
 extern fr_dict_attr_autoload_t rlm_sql_dict_attr[];
 fr_dict_attr_autoload_t rlm_sql_dict_attr[] = {
 	{ .out = &attr_fall_through, .name = "Fall-Through", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
 	{ .out = &attr_sql_user_name, .name = "SQL-User-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
-	{ .out = &attr_user_profile, .name = "User-Profile", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
 	{ .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_radius },
 	{ .out = &attr_expr_bool_enum, .name = "Expr-Bool-Enum", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
 	{ NULL }
@@ -1279,7 +1275,6 @@ static unlang_action_t CC_HINT(nonnull) mod_authorize(rlm_rcode_t *p_result, mod
 
 	fr_pair_list_t		check_tmp;
 	fr_pair_list_t		reply_tmp;
-	fr_pair_t 		*user_profile = NULL;
 
 	bool			user_found = false;
 
@@ -1295,7 +1290,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authorize(rlm_rcode_t *p_result, mod
 	fr_assert(request->reply != NULL);
 
 	if (!inst->config.authorize_check_query && !inst->config.authorize_reply_query &&
-	    !inst->config.read_groups && !inst->config.read_profiles) {
+	    !inst->config.read_groups) {
 		RWDEBUG("No authorization checks configured, returning noop");
 
 		RETURN_MODULE_NOOP;
@@ -1410,8 +1405,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authorize(rlm_rcode_t *p_result, mod
 	}
 
 	/*
-	 *	Neither group checks or profiles will work without
-	 *	a group membership query.
+	 *	group checks require a group membership query.
 	 */
 	if (!inst->config.groupmemb_query) goto release;
 
@@ -1448,63 +1442,9 @@ static unlang_action_t CC_HINT(nonnull) mod_authorize(rlm_rcode_t *p_result, mod
 		}
 	}
 
-	/*
-	 *	Repeat the above process with the default profile or User-Profile
-	 */
-	if ((do_fall_through == FALL_THROUGH_YES) ||
-	    (inst->config.read_profiles && (do_fall_through == FALL_THROUGH_DEFAULT))) {
-		rlm_rcode_t	ret;
-		char const	*profile;
-
-		/*
-		 *  Check for a default_profile or for a User-Profile.
-		 */
-		RDEBUG3("... falling-through to profile processing");
-		user_profile = fr_pair_find_by_da(&request->control_pairs, NULL, attr_user_profile);
-
-		profile = user_profile ?
-				      user_profile->vp_strvalue :
-				      inst->config.default_profile;
-
-		if (!profile || !*profile) goto release;
-
-		RDEBUG2("Checking profile %s", profile);
-
-		if (sql_set_user(inst, request, profile) < 0) {
-			REDEBUG("Error setting profile");
-			rcode = RLM_MODULE_FAIL;
-			goto error;
-		}
-
-		rlm_sql_process_groups(&ret, inst, request, &handle, &do_fall_through);
-		switch (ret) {
-		/*
-		 *	Nothing bad happened, continue...
-		 */
-		case RLM_MODULE_UPDATED:
-			rcode = RLM_MODULE_UPDATED;
-			FALL_THROUGH;
-
-		case RLM_MODULE_OK:
-			if (rcode != RLM_MODULE_UPDATED) rcode = RLM_MODULE_OK;
-			FALL_THROUGH;
-
-		case RLM_MODULE_NOOP:
-			user_found = true;
-			break;
-
-		case RLM_MODULE_NOTFOUND:
-			break;
-
-		default:
-			rcode = ret;
-			goto release;
-		}
-	}
-
 	/*
 	 *	At this point the key (user) hasn't be found in the check table, the reply table
-	 *	or the group mapping table, and there was no matching profile.
+	 *	or the group mapping table.
 	 */
 release:
 	if (!user_found) rcode = RLM_MODULE_NOTFOUND;

src/modules/rlm_sql/rlm_sql.h

@@ -97,9 +97,6 @@ typedef struct {
 
 	char const		*group_attribute;		//!< Name of the group attribute.
 
-	char const		*default_profile;		//!< Default profile to use if no other
-								//!< profiles were configured.
-
 	char const		*authorize_check_query;		//!< Query used get check VPs for a user.
 	char const 		*authorize_reply_query;		//!< Query used get reply VPs for a user.
 	char const		*authorize_group_check_query;	//!< Query used get check VPs for a group.
@@ -112,10 +109,6 @@ typedef struct {
 								//!< If false, Fall-Through = yes is required
 								//!< in the previous reply list to process
 								//!< groups.
-	bool			read_profiles;			//!< Read user profiles by default.
-								//!< If false, Fall-Through = yes is required
-								//!< in the previous reply list to process
-								//!< profiles.
 	char const		*logfile;			//!< Keep a log of all SQL queries executed
 								//!< Useful for batch insertion with the
 								//!< NULL drivers.

src/tests/modules/sql_mysql/module.conf

@@ -21,7 +21,6 @@ sql {
 	groupreply_table = "radgroupreply"
 	usergroup_table = "radusergroup"
 	read_groups = yes
-	read_profiles = yes
 
 	# Remove stale session if checkrad does not see a double login
 	delete_stale_sessions = yes

src/tests/modules/sql_postgresql/module.conf

@@ -21,7 +21,6 @@ sql {
 	groupreply_table = "radgroupreply"
 	usergroup_table = "radusergroup"
 	read_groups = yes
-	read_profiles = yes
 
 	# Remove stale session if checkrad does not see a double login
 	delete_stale_sessions = yes

src/tests/modules/sql_sqlite/module.conf

@@ -21,7 +21,6 @@ sql {
 	groupreply_table = "radgroupreply"
 	usergroup_table = "radusergroup"
 	read_groups = yes
-	read_profiles = yes
 
 	# Remove stale session if checkrad does not see a double login
 	delete_stale_sessions = yes