Phil Mayers wrote:
I was going to knock out a quick concept patch but I see it's not a trivial patch; before I make the effort to code it I thought I'd check:
It seems useful for the sql module to set the return code to RLM_MODULE_REJECT if the Auth-Type gets set to reject - the specific use case I have is an unlang policy like so:
It's much easier to update src/main/modules.c, function modcall(). That way, *any* module updating Auth-Type will have it's return code over-ridden to 'reject'. e.g. ... int saw_reject = FALSE; ... myresult = call_modsingle(...); if (!saw_reject && (compenent == RLM_COMPONENT_AUTH) && ((myresult == RLM_MODULE_OK) || (myresult == RLM_MODULE_UPDATED)) { VALUE_PAIR *vp = pairfind(request->config_items, PW_AUTHTYPE); if (vp && (vp->vp_integer == PW_AUTHTYPE_REJECT) { saw_reject = TRUE; myresult = RLM_MODULE_REJECT; } } ...
...and it would be nice if members of the "banned" group stopped processing early.
Yes. Reject should mean "reject NOW!" Alan DeKok.