Phil Mayers wrote:
I am suggesting that in some sense (and obviously, it's only my opinion, and as I say it's only doable to an extent with newer FR versions) the following is better:
authenticate { Auth-Type PAP { krb5 } }
That is, that the Auth-Type be set to reflect the algorithm in the radius request, and not the backend processing that request.
OK... This makes sense, as long as all services using PAP need to use the rlm_krb5 back end. Now, in my case (perhaps I should have mentioned this before), I have other services that use PAP, but not Kerberos (just Crypt-Password from a local database). So this really is the ">1 competing module for a given Auth-Type": I'd declare two different PAP Auth-Types, then set the appropriate one in the authorization module for each service. IOW, this is pretty much just what I'm doing now, except that the Auth-Type that invokes rlm_krb5 is explicitly declared in the authenticate{} section, which is not the case for "Kerberos" in FR 1.0.5. -- George C. Kaplan gckaplan@ack.berkeley.edu Communication & Network Services 510-643-0496 University of California at Berkeley