Hi, On Mon, 13 Jun 2016 at 15:09 Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
{cut}
We run a 'frontend' server that proxies requests to a number of backends, those backends reply with a number of attributes that define the service. We check the attributes to make sure they form a logical setup. One of those checks is quite convoluted and we've resorted to turning it into a REST call. Since the rlm_rest doesn't support post-proxy we make that call in post-auth.
You can do
post-proxy { rest.post-auth }
if you like...
Ok, this could help, but in our case is more cosmetic than anything (we have some other stuff in post-auth anyway). {cut}
Now, with the rlm_rest module as far a we can tell there is no way to reject a session and update the Reply-Message in one go. Even if we return 'Auth-Type := Reject' the session still get's admitted, if the code is 401 - then the session is rejected, but the body is not parsed (as per the docs). For now we've settled on an internal attribute that signals that the session should be rejected, and we return it from REST (together with the Reply-Message), and later look for it to change Auth-Type to Reject.
I was wondering if there is any simpler way of doing it.
Assuming you're not using the authentication behaviour elsewhere
post-auth { rest.authenticate }
Then you can return 401 and get the body decoded.
ok, we use unlang to verify a number of conditions and only use REST if the result returned by unlang is not conclusive enough to determine the outcome (for example the data for the particular user is not cached locally yet or the cache expired) . I don't have access to a test system right now, but will 'rest.authenticate' allow us to reject from unlang as well (in post-auth).
kind regards Pshem