Freeradius 1.1.0 and rlm_ldap

Mark Martinec Mark.Martinec+radius at ijs.si
Thu Feb 16 01:44:52 CET 2006 

>From futhwo on Thu, 02 Feb 2006:

> ... All worked fine untill i upgraded FreeRADIUS form 1.0.5 to 1.1.0.
> From there on i cannot authenticate because the Auth-Type attribute is no 
more valorized to LDAP by the ldap module during authorize section.
> ...
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 0
> modcall: leaving group authorize (returns ok) for request 0
> auth: No authenticate method (Auth-Type) configuration found for the 
request: Rejecting the user 
> ...
> So if the Auth-Type LDAP is no more defined,how can i perform authentication 
against a LDAP server? 

I noticed the same symptoms after upgrading 1.0.5 to 1.1.0.
Somehow the Auth-Type no longer had a value that would match
the Auth-Type LDAP {...} entry in the authenticate section,
even though the rlm_ldap successfully completed authorization.

ChangeLog didn't mention incompatibilities, debug log with -X
wasn't helpful, bug database turned out nothing, and mailing list
archive turned up similar futhwo's problem report with no replies.

Digging on rlm_ldap source and adding some debug printouts
revealed that the Auth-Type wasn't left undefined like the debug
message lead me to believe, but its value became the name
of a LDAP instance (I'm using two LDAP servers in redundant
radius group), which did not match the name of the
Auth-Type LDAP {} authenticate section.

In my case the solution was to replace the:

authenticate {
  ...
  Auth-Type LDAP {...}

with:

authenticate {
  ...
  Auth-Type ldap-instance1 { ldap-instance1 }
  Auth-Type ldap-instance2 { ldap-instance2 }

I would guess that futhwo's problem has a similar solution,
perhaps replacing Auth-Type LDAP with Auth-Type ldap
or giving a name to an instance and using that in the authenticate section.

It would be helpful to document explicitly what comments in rlm_ldap.c
indicate:
         * Module should default to LDAP authentication if no Auth-Type
         * specified.  Note that we do this ONLY if configured, AND we
         * set the Auth-Type to our module name, which allows multiple
         * ldap instances to work.

It wouldn't hurt if the inst->set_auth_type = 0
would be accompanied with a debug log entry,
and if the pairadd in:

        if (inst->set_auth_type &&
            (pairfind(*check_pairs, PW_AUTH_TYPE) == NULL) &&
            request->password &&
            (request->password->attribute == PW_USER_PASSWORD))
                pairadd(check_pairs, pairmake("Auth-Type", inst->xlat_name, 
T_OP_EQ));

would also log the  inst->xlat_name.
But above all, please document incompatibilities between versions.

  Mark

More information about the Freeradius-Users mailing list