Alan DeKok wrote:
> 
>   In addition, if anyone can figure out a clear way to configure this in
> the server, I'd like to know...


How about a config item like so:

username        Pap-Auth-DelegateTo := "moduleinstancename"

and make rlm_pap the ONLY valid option in authorize/authenticate.

rlm_pap, when called in authenticate, checks if the config item is set. 
If so, it finds the given module instance and passes the authenticate 
request to it.

Many of the "oracles" (nice name) need little or no code to be executed 
in authorize. LDAP is about the only one I can think of.

I could see this having real use in other situations - it would obviate 
the need for Autz-Type in some "merger" situations.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to