Plug-in Question

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Sun Jul 8 11:09:45 CEST 2007


Phil Mayers wrote:
>>> Why do this? The ability to log things to sql post-auth is very usefull and I 
>>> believe fairly widely used. What is the advantage of removing it?
>>>
>>>   
>>>       
>> Right, so you wanting to authorize people in post-auth using .... then 
>> theres a conflict. You can't select whether you want to use the logging 
>> function of rlm_sql or the authorisation function.
>>     
>
> Of course you can:
>
> post-auth {
>   sql # does the logging
>
>   if (%{control:Foo-Bar}=="baz") {
>     update reply {
>       # does the "authorization"
>       Baz-Attr = %{sql:select bazattr from ...}
>     }
>   }
> }
>   
That doesn't replicate the authorisation capabilities of the SQL module 
at all ?!
SQL XLAT only allows you to write one column and one row to one 
attribute, it would take hundreds of queries and a few pages of logic to 
replicate SQL authorisation in unlang..
> In *fact* since sql_xlat function only support SELECT, there's no way of
> executing an SQL modify (insert, update, delete) using %{sql:} syntax -
> so you *have* to retain the sql post-auth logging function.
>
>   
Ah didn't know that.

But I see Alan has some suggestions...

Replacing the current post-auth query with unlang is by far the lesser 
of two evils, in that it would take oh... all of three lines, and could 
be written easily into the 2.0 default config. Theres also the fact that 
most people using the post-auth query have modified it in some way, and 
putting it in an easy to find and edit place can only be a good thing.
> The unlang is nice, but lets not all lose sight of the proven, working
> and tested mechanisms in the server.
>
> And while we're on the subject - lets not get caught up in some comp.
> sci. disagreement of what is authz versus authn. I agree that the 1.1.x
> terminology is very slightly confusing, and a slightly less ambiguous
> rename is good, but breaking working functionality at the same time is
> just plain wrong.
>
>   
Ok I was just pointing out a huge great big glaring issue with moving 
all authorisation stuff to post-auth...
We would need a post-post-auth section , or a post-auth-logging section ...
Or even the ability to pass arguments to modules...
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   




More information about the Freeradius-Users mailing list