Using rlm_caching: rejects on cached requests

Thu Apr 26 10:28:21 CEST 2012

On 26 Apr 2012(Q2, W17), at 10:01, Alan DeKok wrote:

> Jeroen Scheerder wrote:
>> I've modified rlm_caching.c thusly:
>> 
>>        if ((auth_type = pairfind(request->config_items, PW_AUTH_TYPE)) != NULL){
>>                DEBUG("rlm_caching: Found Auth-Type, value: '%s'",auth_type->vp_strvalue);
>>                /* JS - set Auth-Type to 'Accept' if unset */
>>                if (strcmp(auth_type->vp_strvalue,"") == 0){
> 
>  Except that Auth-Type is an "integer" attribute.  So why look at the
> string when you can look at the integer value?

That's a valid question.  I've followed the way it was done in rlm_caching.c.

Actually, that's found in src/main/auth.c as well:

                        auth_type = pairfind(request->config_items,
                                             PW_AUTH_TYPE);
                        if (auth_type && (auth_type->vp_strvalue[0] != '\0')) {

> 
>  i.e. *What* is the integer value when the string is empty?

I'm printing auth_type->vp_integer as well.  The result:

	rlm_caching: Found Auth-Type, int value: 1024, string value: ''

> 
>>                        DEBUG("rlm_caching: Auth-Type unset, assigning value: '%s'", "Accept");
>>                        strcpy(auth_type->vp_strvalue, "Accept");
>>                }
>>                if (strcmp(auth_type->vp_strvalue,"Reject") == 0 && data->cache_rejects == 0){
> 
>  See src/main/auth.c.  You shouldn't do strcmp().

Well, that's just rlm_caching.c as is.  I'm sure it can be improved.

>> Note that actual rejects don't seem to make the caching_postauth function, for whatever reason.
> 
>  Because you didn't list "caching" in the "Post-Auth-Type Reject" section.

Added it.  Interestingly, rejected requests then enter rlm_caching as follows:

	rlm_caching: Found Auth-Type, int value: 1024, string value: ''
	rlm_caching: Auth-Type unset, assigning value: 'Accept'
	rlm_caching: The Request does not contain any reply attributes
> 
>> This seems to be working.  No doubt somebody'll step in and tell me how utterly wrong this is. :-)
> 
>  I'd like to understand *why* the value is wrong.  If it's cached, it
> should cache the working value.

I agree.  Yet I always seem to get a vp_integer of 1024 and a vp_str of '', regardless of accepted or rejected auths.
> 
>> Still, I'm content so far.  But I have one more thing to take care of: I'd like to enable caching only for specific clients.  How could I acomplish that?
> 
>  "man unlang".  Write conditional checks around the caching module.

That'll do wonders.  Thanks.

Regards, Jeroen
-- 
Jeroen Scheerder
ON2IT B.V.
Steenweg 17 B
4181 AJ WAARDENBURG
T: +31 418-653818 | F: +31 418-653716
W: www.on2it.net  | E: Jeroen.Scheerder at on2it.net

Premier Business Partner - IBM  |  Reseller of the Year 2011 - Palo Alto Networks