Phil Mayers wrote: > I am suggesting that in some sense (and obviously, it's only my opinion, > and as I say it's only doable to an extent with newer FR versions) the > following is better: > > authenticate { > Auth-Type PAP { > krb5 > } > } > > That is, that the Auth-Type be set to reflect the algorithm in the > radius request, and not the backend processing that request.
OK... This makes sense, as long as all services using PAP need to use the rlm_krb5 back end. Now, in my case (perhaps I should have mentioned this before), I have other services that use PAP, but not Kerberos (just Crypt-Password from a local database). So this really is the ">1 competing module for a given Auth-Type": I'd declare two different PAP Auth-Types, then set the appropriate one in the authorization module for each service. IOW, this is pretty much just what I'm doing now, except that the Auth-Type that invokes rlm_krb5 is explicitly declared in the authenticate{} section, which is not the case for "Kerberos" in FR 1.0.5. -- George C. Kaplan [EMAIL PROTECTED] Communication & Network Services 510-643-0496 University of California at Berkeley - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html