rlm_perl question (was Re: General question about authentication/authorization)
Phil Mayers
p.mayers at imperial.ac.uk
Sun Mar 19 23:55:09 CET 2006
George C. Kaplan wrote:
> I don't think I understand your examples. A NAS is sending a User-Name
> and User-Password, and somehow I have to tell radiusd, "Use Kerberos to
> authenticate these users." I don't see how I can do that except by
> setting 'Auth-Type = Kerberos' *somewhere*.
I am suggesting that in some sense (and obviously, it's only my opinion,
and as I say it's only doable to an extent with newer FR versions) the
following is better:
authenticate {
Auth-Type PAP {
krb5
}
}
That is, that the Auth-Type be set to reflect the algorithm in the
radius request, and not the backend processing that request.
>
>> Out of interest, are you finding rlm_krb5 stable? Under high concurrency?
>
> Yes, except (and it's a big "except") for signals. I posted something
> about this a little while ago: when radiusd gets a HUP or TERM signal,
> it sometimes becomes unresponsive, using 98% CPU. A 'kill -9' is
Ah. I'll stick with LDAP to the AD controllers.
More information about the Freeradius-Users
mailing list