In article <199604191904.MAA22909@stilton.cisco.com>,
David Carrel  <carrel@cisco.com> wrote:
> get's done by who and how.  This whole thread is basically one of designing
> a versitaille authorization engine for login.  Basically this callout is
> taking the user's identity (authenticated by login) and performing a set of
> tasks based on that identity, the location and anything else the callout
> script wishes to use (time of day, phase of the moon, ...).  It would make

The fbtab/tty_relatives/tty_action/whatever being discussed is not about
authentication/authorization. It's run AFTER the user is validated for
login, which is too late to do anything useful. I agree with Gordon
here; don't try to jam additional functionality here where it doesn't
belong. I already have plans for a separate mechanism to handle the
other things.

> this much more powerful to simply add the ability for the callout script to
> say "no, do not allow this user to continue", at which point they are

Again, it's too late. You don't want to say "no, don't let them login"
after they're already been validated. You want to do that beforehand,
and in fact you want the mechanism to control not only if they're
validated, but _how_.