Phil Mayers wrote:
> How about a config item like so:
> 
> username      Pap-Auth-DelegateTo := "moduleinstancename"
> 
> and make rlm_pap the ONLY valid option in authorize/authenticate.
> 
> rlm_pap, when called in authenticate, checks if the config item is set. 
> If so, it finds the given module instance and passes the authenticate 
> request to it.

  Hmm... I'm not so sure.

> Many of the "oracles" (nice name) need little or no code to be executed 
> in authorize. LDAP is about the only one I can think of.

  Yes.  But even with LDAP, you can configure LDAP bind without doing
user lookups in LDAP.

  I'll think about it some more.  A good solution is difficult to come
up with.

> I could see this having real use in other situations - it would obviate 
> the need for Autz-Type in some "merger" situations.

  I'm not sure what you mean by that.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to