SQL setting auth-type & return codes

Alan DeKok aland at deployingradius.com
Wed Mar 5 19:00:58 CET 2008


Phil Mayers wrote:
> I was going to knock out a quick concept patch but I see it's not a
> trivial patch; before I make the effort to code it I thought I'd check:
> 
> It seems useful for the sql module to set the return code to
> RLM_MODULE_REJECT if the Auth-Type gets set to reject - the specific use
> case I have is an unlang policy like so:

  It's much easier to update src/main/modules.c, function modcall().
That way, *any* module updating Auth-Type will have it's return code
over-ridden to 'reject'.

  e.g.
	...
	int saw_reject = FALSE;
	...
	myresult = call_modsingle(...);
	if (!saw_reject && (compenent == RLM_COMPONENT_AUTH) &&
	    ((myresult == RLM_MODULE_OK) ||
	     (myresult == RLM_MODULE_UPDATED)) {
		VALUE_PAIR *vp = pairfind(request->config_items,
				PW_AUTHTYPE);
	        if (vp && (vp->vp_integer == PW_AUTHTYPE_REJECT) {
			saw_reject = TRUE;
			myresult = RLM_MODULE_REJECT;
		}
	}
	...

> ...and it would be nice if members of the "banned" group stopped
> processing early.

  Yes.  Reject should mean "reject NOW!"

  Alan DeKok.



More information about the Freeradius-Users mailing list