On 2014-07-21 15:27, Alan DeKok wrote:
Zenon Mousmoulas wrote:
Apparently rlm_pap and rlm_mschap don't do this. Can you say more specifically what other modules do this?
Can you say why you care? Does it matter? Or are you just nit-picking?
It mattered because I was trying to understand the difference between rlm_eap and rlm_ldap in this context. Perhaps the last question was not in the right direction, but your answer didn't help either :) So, to answer my own question:
Right. I suppose it makes sense for rlm_eap to set Auth-Type to the instance name, while other modules don't do that, for example rlm_ldap (in 2.x)?
rlm_ldap sets Auth-Type (not anymore in 3.x) if set_auth_type = yes (the default). This setting is overridden when a matching Auth-Type is not found, upon instantiation. It determines the Auth-Type (in order of preference: instance_name, LDAP) it will use when it is instantiated, depending on what Auth-Type is declared in the authenticate section. It is possible that a particular instance is instantiated in a virtual server that has Auth-Type ldap_inst and then processes a request in a different virtual server, which has Auth-Type LDAP. In such a case the module will try to set Auth-Type := ldap_inst and fail. On the other hand, rlm_eap always sets Auth-Type to the instance name. Perhaps related is the fact that it gets instantiated when the module is loaded (as opposed to when it is referenced in an authorize section), so there are no Auth-Type declarations to look at, even if it wanted to (like rlm_ldap).
And not really possible anyway, as I can only use unlang within Auth-Type subsections and not directly in the authenticate section. Right?
This is documented.
I didn't find a specific answer to that question, which is why I asked. Cheers, Z.