Alan DeKok wrote:
Yes, the debug output helped. It looks like it's an issue with src/main/exec.c. The code calling module_authorize() should treat FAIL the same as REJECT.
Is that src/main/exec.c or src/main/auth.c? If I look at src/main/auth.c I see the following : int rad_authenticate(REQUEST *request) { ... /* Get the user's authorization information from the database */ autz_redo: result = module_authorize(autz_type, request); switch (result) { case RLM_MODULE_NOOP: case RLM_MODULE_NOTFOUND: case RLM_MODULE_OK: case RLM_MODULE_UPDATED: break; case RLM_MODULE_FAIL: case RLM_MODULE_HANDLED: return result; case RLM_MODULE_INVALID: case RLM_MODULE_REJECT: case RLM_MODULE_USERLOCK: default: ... Is this the code you are referring to? Should RLM_MODULE_FAIL go in with the last few that drop into the default case? So this would fix it : result = module_authorize(autz_type, request); switch (result) { case RLM_MODULE_NOOP: case RLM_MODULE_NOTFOUND: case RLM_MODULE_OK: case RLM_MODULE_UPDATED: break; /*case RLM_MODULE_FAIL:*/ case RLM_MODULE_HANDLED: return result; case RLM_MODULE_FAIL: case RLM_MODULE_INVALID: case RLM_MODULE_REJECT: case RLM_MODULE_USERLOCK: default: Makes sense, because the default case returns a reject... Alan you are a genius! Is this even considered a bug? Can we expect this to be changed in the future? Thanks a stack for all the time Alan! -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. ---------------------------------------------------------------------- Get a free email address with REAL anti-spam protection. http://www.bluebottle.com/tag/1