rlm_perl question (was Re: General question about authentication/authorization)
George C. Kaplan
gckaplan at ack.berkeley.edu
Mon Mar 20 17:07:46 CET 2006
Phil Mayers wrote:
> I am suggesting that in some sense (and obviously, it's only my opinion,
> and as I say it's only doable to an extent with newer FR versions) the
> following is better:
>
> authenticate {
> Auth-Type PAP {
> krb5
> }
> }
>
> That is, that the Auth-Type be set to reflect the algorithm in the
> radius request, and not the backend processing that request.
OK... This makes sense, as long as all services using PAP need to use
the rlm_krb5 back end.
Now, in my case (perhaps I should have mentioned this before), I have
other services that use PAP, but not Kerberos (just Crypt-Password from
a local database). So this really is the ">1 competing module for a
given Auth-Type": I'd declare two different PAP Auth-Types, then set
the appropriate one in the authorization module for each service.
IOW, this is pretty much just what I'm doing now, except that the
Auth-Type that invokes rlm_krb5 is explicitly declared in the
authenticate{} section, which is not the case for "Kerberos" in FR 1.0.5.
--
George C. Kaplan gckaplan at ack.berkeley.edu
Communication & Network Services 510-643-0496
University of California at Berkeley
More information about the Freeradius-Users
mailing list