Quoting Phil Mayers <p.mayers@imperial.ac.uk>:
2) INNER Auth part ensures that the ldap module is only called for the INNER part of the check...not for everything else. also very very useful as it stops outer ID junk and debris from being checked.
What IS 'the INNER part' (may depend on the answer on my first question above) as opposed to 'the outer'? In context I get the general idea, but the actual definition on INNER and OUTER?
You're getting hung up on the specifics, which is probably my fault for giving minimal info; Autz-Type is a general mechanism. Please see doc/Autz-Type for more info.
I'm only slightly wiser from reading that... Shouldn't 'eap' and 'mschap' be in this Authz-Type to then? ----- s n i p ---- authorize { preprocess auth_log chap mschap digest IPASS suffix realmpercent ntdomain eap files Autz-Type INNER { ldap } } ----- s n i p ---- What I don't understand is why everything is done so many times! The 'authorize' section is done a whole bunch of times, just to authenticate ONE user [request]. If I have undestood the Authz-Type file correctly (which I'm quite sure I haven't), I'd put the whole 'authorize' section in a 'Authz-Type' section! But that can't be right...