Alan DeKok wrote:
In addition, if anyone can figure out a clear way to configure this in the server, I'd like to know...
How about a config item like so: username Pap-Auth-DelegateTo := "moduleinstancename" and make rlm_pap the ONLY valid option in authorize/authenticate.rlm_pap, when called in authenticate, checks if the config item is set. If so, it finds the given module instance and passes the authenticate request to it.
Many of the "oracles" (nice name) need little or no code to be executed in authorize. LDAP is about the only one I can think of.
I could see this having real use in other situations - it would obviate the need for Autz-Type in some "merger" situations.