Zenon Mousmoulas wrote:
It mattered because I was trying to understand the difference between rlm_eap and rlm_ldap in this context. Perhaps the last question was not in the right direction, but your answer didn't help either :)
You question about PAP and MS-CHAP did *nothing* to help you understand the difference between LDAP and EAP. All it did was be annoying, and waste everyones time.
rlm_ldap sets Auth-Type (not anymore in 3.x) if set_auth_type = yes (the default). This setting is overridden when a matching Auth-Type is not found, upon instantiation. It determines the Auth-Type (in order of preference: instance_name, LDAP) it will use when it is instantiated, depending on what Auth-Type is declared in the authenticate section. It is possible that a particular instance is instantiated in a virtual server that has Auth-Type ldap_inst and then processes a request in a different virtual server, which has Auth-Type LDAP. In such a case the module will try to set Auth-Type := ldap_inst and fail.
Which is why set_auth_type was removed in v3.
On the other hand, rlm_eap always sets Auth-Type to the instance name. Perhaps related is the fact that it gets instantiated when the module is loaded (as opposed to when it is referenced in an authorize section), so there are no Auth-Type declarations to look at, even if it wanted to (like rlm_ldap).
Because it's stupid to list "eap" in the "authorize" section, and then *not* list it in the "authenticate" section. So always setting Auth-Type to the instance name is what you want the module to do. Alan DeKok.