authorize { ... if (("%{User-Name}" == "bob") || (5 > 3)) { sql detail ... } } Sound useful? :) The downside is that the existing checks in -pre0 for the return code of the previous module won't work e.g. if "handled|ok" { ... will now be broken. If this is OK, I'll check in the new code. With a little bit more work, I should be able to add the ability to check the return code of the modules, too. There are limitations, of course. The "if" condition has to fit all on one line, because the parser for "radiusd.conf" is very dumb. But it works for the tests I've come up with. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan Dekok wrote:
authorize { ...
if (("%{User-Name}" == "bob") || (5 > 3)) { sql detail ... }
}
Sound useful? :)
The downside is that the existing checks in -pre0 for the return code of the previous module won't work e.g.
if "handled|ok" { ...
will now be broken. If this is OK, I'll check in the new code. With a little bit more work, I should be able to add the ability to check the return code of the modules, too.
There are limitations, of course. The "if" condition has to fit all on one line, because the parser for "radiusd.conf" is very dumb. But it works for the tests I've come up with.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
Yes this is a far better way of doing things !! Could you use regexp in conditions ? And could you make them work in instantiate as well as authorize ? -- Arran
Arran Cudbard-Bell wrote:
Yes this is a far better way of doing things !!
Yup.
Could you use regexp in conditions ?
Once the code is written, yes. It's not hard.
And could you make them work in instantiate as well as authorize ?
Why? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
And could you make them work in instantiate as well as authorize ?
Why?
So you can have fail over if modules in instantiate don't start correctly. E.g when your loading clients list from SQL / LDAP , and it can't contact the first server so bails. Would be nice for it instead, to be able to switch to a secondary ... I can just think of all kinds of instances, where something breaks and i'm not on site, and someone tries to restart the RADIUS server and finds they can't ... It's just to try and make everything as bomb proof as possible ... cheers -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
Arran Cudbard-Bell wrote:
So you can have fail over if modules in instantiate don't start correctly.
Due to the way the server is designed, it's probably better to update the modules so that it's *not* a catastrophic failure if they can't connect to the DB on startup. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Mon, May 21, 2007 at 04:14:18PM +0200, Alan Dekok wrote:
authorize { ...
if (("%{User-Name}" == "bob") || (5 > 3)) { sql detail ... }
}
Sound useful? :)
Yes, very. It's very clean compared to the alternative of setting Autz-Type, etc. in a users file (our config uses that approach heavily, and it's somewhat ugly; this info really *should* be in the .conf file...).
The downside is that the existing checks in -pre0 for the return code of the previous module won't work e.g.
if "handled|ok" { ...
will now be broken.
I think this is a worthwhile tradeoff, since the return code control flow is (at least partly) covered with the existing: foo { notfound=return } syntax.
If this is OK, I'll check in the new code. With a little bit more work, I should be able to add the ability to check the return code of the modules, too.
-- Chris Mikkelson | Slashdot: because a million lemmings can't cmikk@qwest.net | be wrong.
On May 22, 2007 1:52:59 AM +0000 Chris Mikkelson <cmikk@qwest.net> wrote:
On Mon, May 21, 2007 at 04:14:18PM +0200, Alan Dekok wrote:
authorize { ...
if (("%{User-Name}" == "bob") || (5 > 3)) { sql detail ... }
}
Sound useful? :)
Yes, very. It's very clean compared to the alternative of setting Autz-Type, etc. in a users file (our config uses that approach heavily, and it's somewhat ugly; this info really *should* be in the .conf file...).
The advantage of the users file is that you don't need to restart the server to make changes. -frank
Chris Mikkelson wrote:
Yes, very. It's very clean compared to the alternative of setting Autz-Type, etc. in a users file (our config uses that approach heavily, and it's somewhat ugly; this info really *should* be in the .conf file...).
Yes. I suspect that with another few hundred lines of code, 100% of the "users" file functionality can go into radiusd.conf. Whether that's a good idea is another question.
I think this is a worthwhile tradeoff, since the return code control flow is (at least partly) covered with the existing:
foo { notfound=return }
Mostly. Not completely, but mostly. Still, I think it's worth doing. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (4)
-
Alan Dekok -
Arran Cudbard-Bell -
Chris Mikkelson -
Frank Cusack