Phil Mayers wrote: > I was going to knock out a quick concept patch but I see it's not a > trivial patch; before I make the effort to code it I thought I'd check: > > It seems useful for the sql module to set the return code to > RLM_MODULE_REJECT if the Auth-Type gets set to reject - the specific use > case I have is an unlang policy like so:
It's much easier to update src/main/modules.c, function modcall(). That way, *any* module updating Auth-Type will have it's return code over-ridden to 'reject'. e.g. ... int saw_reject = FALSE; ... myresult = call_modsingle(...); if (!saw_reject && (compenent == RLM_COMPONENT_AUTH) && ((myresult == RLM_MODULE_OK) || (myresult == RLM_MODULE_UPDATED)) { VALUE_PAIR *vp = pairfind(request->config_items, PW_AUTHTYPE); if (vp && (vp->vp_integer == PW_AUTHTYPE_REJECT) { saw_reject = TRUE; myresult = RLM_MODULE_REJECT; } } ... > ...and it would be nice if members of the "banned" group stopped > processing early. Yes. Reject should mean "reject NOW!" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html