Skip authorize if proxy? Preprocess deprecated?

Alan DeKok aland at deployingradius.com
Thu Feb 2 16:13:56 UTC 2023


On Feb 2, 2023, at 10:09 AM, contact at brindereseau.fr wrote:
> Thanks for FreeRADIUS and the incredible amount of work. The more I use it, the more I love it, especially Unlang which allows for flexible and specific pre and post processing.

  I'm glad to hear that.  We've put a lot of effort into it.

> I just wonder about the RADIUS sequence (v3 but v4 may be also concerned):

  I'd suggest avoiding v4.  It works, but it's undergoing re-architecture on a daily basis.  The configuration format may change over time.  So it's only suitable for production use if you keep on top of all of the changes.

> why neither the default sequence or the doc suggests to employ such a below logic?
> 
> authorize {
>    filter_username
>    suffix
> 
>    if (!&control:Proxy-To-Realm) { # or check "&control.Auth-Type" in v4
>      sql
>      my_super_module
>      my_other_module
>      # some other things...
>      chap
>      pap
>    }
> }
> 
> My point being: once we know that proxy is needed (told by "suffix" usually), it seems to me the rest of "authorize" section can be skipped *in most cases*.

  Yes.

> It would gain some time and prevent potential side effects by subsequent modules (depending on what they do, of course).
> Or am I wrong? Did I miss something?

  You're right.

  But the server rarely forces you to work in a certain way.  A module could decide to proxy, and then another module could cancel that proxy request.

  For your situation above, you could do:

authorize {
   filter_username
   suffix

   if (&control:Proxy-To-Realm) {
	return
   }

   sql
   ... other stuff which is run only when it's not proxying.

> Also, yet not related, is "preprocess" actually deprecated in favor of a custom module in Unlang?
> Or is there a reason to still use it (execution time, backward compatibility)?
> It seems to have disappeared in v4.

  The "preprocess" module was really only for the "hints" and "huntgroups"  files.  That functionality is done more easily by other modules in v4, so the "preprocess" module was removed.

  But again... only use v4 if you know it's limitations, and are willing to accept them.

  Alan DeKok.



More information about the Freeradius-Users mailing list