On Feb 2, 2023, at 10:09 AM, contact@brindereseau.fr wrote:
Thanks for FreeRADIUS and the incredible amount of work. The more I use it, the more I love it, especially Unlang which allows for flexible and specific pre and post processing.
I'm glad to hear that. We've put a lot of effort into it.
I just wonder about the RADIUS sequence (v3 but v4 may be also concerned):
I'd suggest avoiding v4. It works, but it's undergoing re-architecture on a daily basis. The configuration format may change over time. So it's only suitable for production use if you keep on top of all of the changes.
why neither the default sequence or the doc suggests to employ such a below logic?
authorize { filter_username suffix
if (!&control:Proxy-To-Realm) { # or check "&control.Auth-Type" in v4 sql my_super_module my_other_module # some other things... chap pap } }
My point being: once we know that proxy is needed (told by "suffix" usually), it seems to me the rest of "authorize" section can be skipped *in most cases*.
Yes.
It would gain some time and prevent potential side effects by subsequent modules (depending on what they do, of course). Or am I wrong? Did I miss something?
You're right. But the server rarely forces you to work in a certain way. A module could decide to proxy, and then another module could cancel that proxy request. For your situation above, you could do: authorize { filter_username suffix if (&control:Proxy-To-Realm) { return } sql ... other stuff which is run only when it's not proxying.
Also, yet not related, is "preprocess" actually deprecated in favor of a custom module in Unlang? Or is there a reason to still use it (execution time, backward compatibility)? It seems to have disappeared in v4.
The "preprocess" module was really only for the "hints" and "huntgroups" files. That functionality is done more easily by other modules in v4, so the "preprocess" module was removed. But again... only use v4 if you know it's limitations, and are willing to accept them. Alan DeKok.