Alan DeKok said:
Eddie Stassen wrote:
I was trying to get rid of my 'post-proxy-authorize' dependency and found that any attributes added during the authorize stage are removed when the proxy reply is received. Surely this is not intended behaviour
Yes. The problem is that the "authorize" stage is usually done wrong, for reasons that go back to the original implementation.
The authorize section often updates the *reply*, which is just plain backwards. Instead, the authorize section should set the stage for the authentication stage, i.e. known passwords, group checking, etc. Once the user is authenticated, the post-authenticate section should set the reply.
Which is great in theory, but as Arran pointed out, not so easy in practice, especially if you are trying to do everything from SQL. I second the request for a "yes_I_(think)_I_know_what_I_am_doing" switch we can use to turn that behavior off, until such time as rlm_sql allows us to do things "the right way" without jumping through too many hoops?
Alan DeKok.
-- hugh