Plug-in Question
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Fri Jul 6 11:23:37 CEST 2007
Alan DeKok wrote:
> Tomas Hoger wrote:
>
>> Isn't "authorize" better place for that? Even name suggests
>> authorization should be done there... ;)
>>
>
> No. "authorize" is run before authentication for historical reasons.
>
> Policies should really be applied *after* a user authenticates, which
> means post-auth.
>
But thats not how modules are currently configured to work.
So policies have to be applied in *authorize* if SQL or LDAP is used for
authorisation.
"Authorisation" has to be done before authentication when proxying, as
the server will only proxy at the of the authorise section ....
Btw Server appears to be leaking scary amounts of memory, i'm going to
try and track it down to something in the config...
After 50,000 pap authentications (running in parallel sets of 15) it had
leaked about 20mb , and was still increasing ....
I set the threads to die after 100 authentications, but didn't seem to
make any difference.
Will try with standard config/32bit build and get back to you.
Haven't found any new bugs recently ... well only ones created by my own
stupidity ;)
Be interested to see how return codes are when they work properly .
Keep up the good work :)
--
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
More information about the Freeradius-Users
mailing list