Jeffrey Hutzelman wrote: > It can't, really. But what it could do is what rlm_pap does, which is > to assume that if there's a password in the request and Auth-Type isn't > set yet, you must want to use this module (actually, rlm_pap also > requires there be a password or hash in the users database, but of > course Kerberos doesn't need that and as you point out, there's no easy > way to check the KDB). With such a check, krb5 could be listed after > pap in the default authorize configuration, and would pick up any PAP > requests for which the users database does not contain password.
That would work. > Yes, I suppose with configuration like that you could avoid the code I > describe above. I do think there's some benefit to handling this in the > module's authorize handler, if only so we can avoid telling people to > set Auth-Type in the users database. Which is always good. > What I'd really like to see is an easy way for the users database to > specify which submodule gets to handle PAP requests. I suppose that can > be accomplished as in your example, by listing files last in the > authorize section and set-if-unset Auth-Type in each user entry. Unfortunately, yes. That's what the "Auth-Type" is for. In 2.0, this is easier to do with "unlang". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html