Plug-in Question
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Sun Jul 8 11:09:45 CEST 2007
Phil Mayers wrote:
>>> Why do this? The ability to log things to sql post-auth is very usefull and I
>>> believe fairly widely used. What is the advantage of removing it?
>>>
>>>
>>>
>> Right, so you wanting to authorize people in post-auth using .... then
>> theres a conflict. You can't select whether you want to use the logging
>> function of rlm_sql or the authorisation function.
>>
>
> Of course you can:
>
> post-auth {
> sql # does the logging
>
> if (%{control:Foo-Bar}=="baz") {
> update reply {
> # does the "authorization"
> Baz-Attr = %{sql:select bazattr from ...}
> }
> }
> }
>
That doesn't replicate the authorisation capabilities of the SQL module
at all ?!
SQL XLAT only allows you to write one column and one row to one
attribute, it would take hundreds of queries and a few pages of logic to
replicate SQL authorisation in unlang..
> In *fact* since sql_xlat function only support SELECT, there's no way of
> executing an SQL modify (insert, update, delete) using %{sql:} syntax -
> so you *have* to retain the sql post-auth logging function.
>
>
Ah didn't know that.
But I see Alan has some suggestions...
Replacing the current post-auth query with unlang is by far the lesser
of two evils, in that it would take oh... all of three lines, and could
be written easily into the 2.0 default config. Theres also the fact that
most people using the post-auth query have modified it in some way, and
putting it in an easy to find and edit place can only be a good thing.
> The unlang is nice, but lets not all lose sight of the proven, working
> and tested mechanisms in the server.
>
> And while we're on the subject - lets not get caught up in some comp.
> sci. disagreement of what is authz versus authn. I agree that the 1.1.x
> terminology is very slightly confusing, and a slightly less ambiguous
> rename is good, but breaking working functionality at the same time is
> just plain wrong.
>
>
Ok I was just pointing out a huge great big glaring issue with moving
all authorisation stuff to post-auth...
We would need a post-post-auth section , or a post-auth-logging section ...
Or even the ability to pass arguments to modules...
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list