Plug-in Question
Phil Mayers
p.mayers at imperial.ac.uk
Sun Jul 8 03:43:04 CEST 2007
> >
> > Why do this? The ability to log things to sql post-auth is very usefull and I
> > believe fairly widely used. What is the advantage of removing it?
> >
> >
> Right, so you wanting to authorize people in post-auth using .... then
> theres a conflict. You can't select whether you want to use the logging
> function of rlm_sql or the authorisation function.
Of course you can:
post-auth {
sql # does the logging
if (%{control:Foo-Bar}=="baz") {
update reply {
# does the "authorization"
Baz-Attr = %{sql:select bazattr from ...}
}
}
}
In *fact* since sql_xlat function only support SELECT, there's no way of
executing an SQL modify (insert, update, delete) using %{sql:} syntax -
so you *have* to retain the sql post-auth logging function.
The unlang is nice, but lets not all lose sight of the proven, working
and tested mechanisms in the server.
And while we're on the subject - lets not get caught up in some comp.
sci. disagreement of what is authz versus authn. I agree that the 1.1.x
terminology is very slightly confusing, and a slightly less ambiguous
rename is good, but breaking working functionality at the same time is
just plain wrong.
More information about the Freeradius-Users
mailing list