Phil Mayers wrote:
> I am suggesting that in some sense (and obviously, it's only my opinion,
> and as I say it's only doable to an extent with newer FR versions) the
> following is better:
>
> authenticate {
> Auth-Type PAP {
> krb5
> }
> }
>
> That is, that the Auth-Type be set to reflect the algorithm in the
> radius request, and not the backend processing that request.
OK... This makes sense, as long as all services using PAP need to use
the rlm_krb5 back end.
Now, in my case (perhaps I should have mentioned this before), I have
other services that use PAP, but not Kerberos (just Crypt-Password from
a local database). So this really is the ">1 competing module for a
given Auth-Type": I'd declare two different PAP Auth-Types, then set
the appropriate one in the authorization module for each service.
IOW, this is pretty much just what I'm doing now, except that the
Auth-Type that invokes rlm_krb5 is explicitly declared in the
authenticate{} section, which is not the case for "Kerberos" in FR 1.0.5.
--
George C. Kaplan [EMAIL PROTECTED]
Communication & Network Services 510-643-0496
University of California at Berkeley
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
