April 22, 2019 7:50 PM, "Arran Cudbard-Bell" <a.cudbardb@freeradius.org> wrote:
On Apr 22, 2019, at 12:12 PM, Martin Gignac <martin.gignac@gmail.com> wrote:
Hi Arran,
Thanks for you response. I initially assumed that I should put:
rest if (updated) { ok }
rest { updated = 1 } if (updated) { ok }
It's because the default action for updated in authenticate is return, so it just exits the authenticate section.
Authenticate in FreeRADIUS is meant to be for a module that runs locally on the server and does some sort of authentication by comparing the contents of the incoming packet with some secret information the server has access to. Local authentication modules don't usually return updated, which is why its counted as a failure if one does.
There's no real issue doing what you're doing though, just explaining why it doesn't work out of the box and you need to jump through a couple of extra hoops.
...and arguably the action for updated probably shouldn't be return, as it strongly hints there are more modules that need to be called. I guess the return code priorities/actions were probably set in < v1.0.x, where there was no policy language, and there you really would only ever call one module in authenticate.
So that leaves two more permanent fixes, either:
- rlm_rest only returns "OK" for its authenticate method, which probably means it should just ignore body data. Then if you wanted to do what you're doing now you'd call rest.authorize instead.
Reading https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-avail... and relating to HTTP 204 vs. 200 semantics I would think "updated" rcode is a natural fit for rest.authorize, right? I am also still unsure about rest.authenticate though.
- The updated rcode in should be given a non 'return' priority.
I don't know if we can make either of those changes in v3.0.x, but maybe we can change it in v4.0.x.
Any though's Alan DeKok, Matthew Newton et al?
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html