On Thu, Feb 06, 2003 at 10:53:13AM -0000, Scott Bartlett wrote:
[...]
> Someone pls correct me if I'm wrong, but otherwise then if I'm guessing
> right then it seems that people *only* using MySQL can basically not
> worry about having auth-types set (at least until FR enforces checking
> one!).
If you want something other then 'local' authentication you need to set
the auth-type.
from src/main/files.c:
/*
* Fixup a check line.
* If User-Password or Crypt-Password is set, but there is no
* Auth-Type, add one (kludge!).
*/
static void auth_type_fixup(VALUE_PAIR **check)
{
[...]
if (vp->attribute == PW_PASSWORD) {
c = vp;
n = PW_AUTHTYPE_LOCAL;
}
if (vp->attribute == PW_CRYPT_PASSWORD) {
c = vp;
n = PW_AUTHTYPE_CRYPT;
}
[...]
As the 'kludge' comment shows, not setting an auth-type is rather ugly.
> I'm sure if you're doing more complex stuff you'll need to set it
> appropriately... but I'm not, so I can't be sure...
>
> Based on the feedback to this thread, I should probably adjust that web
> page to indicate that the auth-type should go in rad(group)check and not
> rad(group)reply, yes? (and I'm off to re-re-read the docs again...
> Heh...)
Yes, probably.
Wouldn't it infact in the long run be better to remove the 'local'
auth-type completely and force usage of PAP or CHAP instead?
The PAP and CHAP modules do everything and more that 'local' does, while
keeping the code in modules and not in the server core.
I could be missing something important done by 'local' though, i haven't
really looked that hard.
--
Simon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
