Jeffrey Hutzelman wrote:
It can't, really. But what it could do is what rlm_pap does, which is to assume that if there's a password in the request and Auth-Type isn't set yet, you must want to use this module (actually, rlm_pap also requires there be a password or hash in the users database, but of course Kerberos doesn't need that and as you point out, there's no easy way to check the KDB). With such a check, krb5 could be listed after pap in the default authorize configuration, and would pick up any PAP requests for which the users database does not contain password.
That would work.
Yes, I suppose with configuration like that you could avoid the code I describe above. I do think there's some benefit to handling this in the module's authorize handler, if only so we can avoid telling people to set Auth-Type in the users database.
Which is always good.
What I'd really like to see is an easy way for the users database to specify which submodule gets to handle PAP requests. I suppose that can be accomplished as in your example, by listing files last in the authorize section and set-if-unset Auth-Type in each user entry.
Unfortunately, yes. That's what the "Auth-Type" is for. In 2.0, this is easier to do with "unlang". Alan DeKok.