Alan DeKok wrote:
Tomas Hoger wrote:
Isn't "authorize" better place for that? Even name suggests authorization should be done there... ;)
No. "authorize" is run before authentication for historical reasons.
Policies should really be applied *after* a user authenticates, which means post-auth.
But thats not how modules are currently configured to work. So policies have to be applied in *authorize* if SQL or LDAP is used for authorisation. "Authorisation" has to be done before authentication when proxying, as the server will only proxy at the of the authorise section .... Btw Server appears to be leaking scary amounts of memory, i'm going to try and track it down to something in the config... After 50,000 pap authentications (running in parallel sets of 15) it had leaked about 20mb , and was still increasing .... I set the threads to die after 100 authentications, but didn't seem to make any difference. Will try with standard config/32bit build and get back to you. Haven't found any new bugs recently ... well only ones created by my own stupidity ;) Be interested to see how return codes are when they work properly . Keep up the good work :) -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900