Guillaume Rousse wrote:
What's wrong with just looking recursively for the name under which the module has been instanciated in the authorization section, without interpreting fail-over behaviour at all ?
Because it may be listed under multiple Auth-Type sections. This is something that people do, and is valid.
The problem is a common one in computer science: write a program that "understands" what another program is doing. This problem is generally known to be impossible. Here the communication occurs between the main program, and one of its module, the relationship is a bit tighter.
The problem is interpreting the meaning of the configuration in an "authenticate" section, including sections, sub-sections, "unlang", and redundant sections. Then, automatically making the server do the "right thing" in the authorize section, based on it's interpretation of the "authenticate" section. This is hard. Alan DeKok.