Using an alternative password file

[Julian Cowley]

Hi list,
I'm using freeradius and I want authenticate from an alternative password file 
at the same time as authenticating from the normal Unix password file.  When a 
request comes in, I want the alternative password file to be checked first, and 
if the user is not found, then the Unix password file should be checked second.

The way I've intended this to work is to use the "passwd" module with the entry 
for the alterntive password file.  If an entry is found in it, the module 
appends the Crypt-Password attribute and sets the Auth-Type to PAP. If not, 
Auth-Type is left unset.  I believe this is pretty standard so far.

The next step is to check the users file via the "files" module.  I've put in 
two DEFAULT entries: the first has "Auth-Type == PAP" as a check item, and the 
second has "Auth-Type := System".  The intent is that PAP requests will match 
the first DEFAULT entry with no fall-through, but if the request is not PAP, 
then the second entry will set Auth-Type to System.

The problem is, requests *always* match the first DEFAULT entry, no matter if 
they are PAP requests or not.  I've tried changing the relation operator on 
both entries to all different combinations (=, ==, :=, +=), but nothing seems 
to work.  Where am I going wrong?  Is there a better way to do this?

Here is my configuration, cut down to (hopefully) the pertinent information. 
I'm using freeradius 1.0.0 from FreeBSD ports (dated 2004/08/29).  I can post 
debugging output if needed.

radiusd.conf:
modules {
        # ...
        #
        # This is a simplified password file with two columns, the
        # username and the password.
        #
        passwd users_passwd {
                filename = "/etc/users-passwd"
                format = "*User-Name:Crypt-Password"
                delimiter = ":"
                authtype = PAP
                ignorenislike = yes
                ignoreempty = yes
                allowmultiplekeys = no
        }
        # ...
}
authorize {
        # ...
        #
        # This goes before the "files" statement so that the alternative
        # password file module has the opportunity to set Auth-Type to
        # PAP.
        #
        users_passwd
        #
        #  Read the 'users' file
        files
        # ...
}
authenticate {
        # ...
        Auth-Type PAP {
                pap
        }
        # ...
        unix
        # ...
}
users:
# Check for Auth-Type == PAP.  This is set by the users_passwd module in
# radiusd.conf.
DEFAULT Auth-Type == PAP
# Setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
DEFAULT Auth-Type := System
--
In the Year 2000 (tm)... "I will convert to Judasism and change my
trademark Fa Shizzle My Nizzle to Sheiztle Fa Zeitzel." -- Snoop Dog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html