Deleting reply items before post-proxy
Hugh Messenger
hugh at alaweb.com
Thu Aug 30 20:20:27 CEST 2007
Alan DeKok said:
> Eddie Stassen wrote:
> > I was trying to get rid of my 'post-proxy-authorize' dependency and
> > found that any attributes added during the authorize stage are removed
> > when the proxy reply is received. Surely this is not intended
> > behaviour
>
> Yes. The problem is that the "authorize" stage is usually done wrong,
> for reasons that go back to the original implementation.
>
> The authorize section often updates the *reply*, which is just plain
> backwards. Instead, the authorize section should set the stage for the
> authentication stage, i.e. known passwords, group checking, etc. Once
> the user is authenticated, the post-authenticate section should set the
> reply.
Which is great in theory, but as Arran pointed out, not so easy in practice,
especially if you are trying to do everything from SQL.
I second the request for a "yes_I_(think)_I_know_what_I_am_doing" switch we
can use to turn that behavior off, until such time as rlm_sql allows us to
do things "the right way" without jumping through too many hoops?
> Alan DeKok.
-- hugh
More information about the Freeradius-Devel
mailing list