On 26/07/2019 21.14, Christopher Bongaarts wrote:
This last point troubles me a bit; it seems like if something happened
so the Access-Reject got lost, a user could be granted access when the
hook would have denied them.
I can see a couple ways to work around this:
- Use a
We're implementing some additional authorization checks in some of our
Handlers by using PostAuthHook to perform the checks and update the
return status accordingly. These checks are using LDAP attributes
returned from the auth check (using AuthAttrDef to make them available
to the hooks).