"Tarun Bhushan" <[EMAIL PROTECTED]> wrote: > I see your point. However, how does FR select which instance needs to > handle this request right at the start of handling the request?
I'm not sure what you mean. The various sections are processed in order, from top to bottom, so any decision to make is easy. > In the > debug log, the first thing I can see with respect to the first authorize > part of handling the request is "rlm_ldap: Entering ldap_groupcmp()". > From what I can see, the modcall code has already selected the instance > at this stage, as "instance" is an input parameter to this function. Not exactly. The attribute is tied to a particular instance, so any reference to that attribute naturally refers to an instance. There's no fail-over or redundancy, as the attribute is tied to an instance, not to a fail-over/redundancy section in "radiusd.conf". If you use the same attribute in any other section (authenticate, post-auth, etc), you will see the server selecting the same instance of the same module. The LDAP group comparison has nothing to do with "authorize", as it's dependent on the instance of the module, and not on any section in "radiusd.conf". > > Please use "Autz-Type", the "autztype" name is deprecated, and may > > be removed in a future release. > > This does not appear to work. Within the 'users' file, Autz-Type is > fine. However, when 'autz-type' is used instead of 'autztype' used > within the 'Authorize' section in radiusd.conf, radiusd reports an error > while processing the 'users' file (Unexpected trailing comma in check > item list for entry DEFAULT), which goes away when 'autztype' is used. Which version of the server are you using? > Also, there is also a corresponding 'authtype' in the 'Authenticate' > section too, not 'auth-type'. Not in any recent version of the server. > > Maybe we need sections for callbacks, where the callback code can > > package multiple modules together in a redundant section. > > Wouldn't these callback sections need to be within/related-to the > corresponding higher level sections (authorize, authenticate, etc)? Why? There is no "higher level" sections. They're all completely independent, and ignorant of each other. That's what makes the server so powerful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
