13 LDAP queries for one authorize!

[Turbo Fredriksson]

Quoting Phil Mayers <p.mayers at imperial.ac.uk>:

>> > 2) INNER Auth part ensures that the ldap module is only called for the
>> > INNER part of the check...not for everything else. also very very useful
>> > as it stops outer ID junk and debris from being checked.
>> 
>> What IS 'the INNER part' (may depend on the answer on my first question
>> above) as opposed to 'the outer'? In context I get the general idea, but
>> the actual definition on INNER and OUTER?
>
> You're getting hung up on the specifics, which is probably my fault for
> giving minimal info; Autz-Type is a general mechanism. Please see
> doc/Autz-Type for more info.

I'm only slightly wiser from reading that... Shouldn't 'eap' and 'mschap'
be in this Authz-Type to then?

----- s n i p ----
authorize {
        preprocess
        auth_log
        chap
        mschap
        digest
        IPASS
        suffix
        realmpercent
        ntdomain
        eap
        files
        Autz-Type INNER {
                ldap
        }
}
----- s n i p ----


What I don't understand is why everything is done so many times! The
'authorize' section is done a whole bunch of times, just to authenticate
ONE user [request].
If I have undestood the Authz-Type file correctly (which I'm quite sure
I haven't), I'd put the whole 'authorize' section in a 'Authz-Type' section!
But that can't be right...