Configuration trouble with fail-over

Guillaume Rousse Guillaume.Rousse at inria.fr
Tue Apr 29 15:16:24 CEST 2008 

Alan DeKok a écrit :
>> I think this ought to be documented in rlm_ldap documentation (as well
>> as minor other changes, such as the new tls subsection).
> 
>   The new tls sub-section isn't required.  The old-style configuration
> *should* work.
It does. But clarification between what's old and what's new syntax
doesn't harm.

>> I also tried to clean up my configuration a little bit. I think a found
>> a bug in the handling of set_auth_type directive. From what I
>> understood, this directive governs the setting of the Auth-Type
>> attribute to 'LDAP' during the authorisation phase. However, whatever
>> its value, it's automatically disabled when launching radius at startup:
>>
>> Tue Apr 29 14:07:17 2008 : Debug: rlm_ldap: Over-riding set_auth_type,
>> as we're not listed in the "authenticate" section.
> 
>   Yes... the LDAP module is now aware that you may have *multiple*
> copies of the LDAP module running.
I guess you mean 'not aware'

>> Here is my autenticate section, using two ldap modules in fail-over:
>> authenticate {
>>         Auth-Type LDAP {
>>                 redundant {
>>                         ldap1
>>                         ldap2
> 
>   ldap1 != "LDAP".
Right, but that seems to be only a syntax difference, refering to a
named instance of the LDAP module. One would expect the code to be more
robust, or at least the problem documented somewhere.

[..]
>> Which one should I believe ?
> 
>   All of them.  There are generalizations, which are usually true.  In
> addition, there are specific corner cases where the generalizations
> aren't true.
I need the second solution (ldap as an autentication server), so I need
to have Auth-Type set.

If I understand correctly, there no way to help the rlm_module
understand I'm using it for autentication, as I use a complex synta, so
I have to set it up explicitely, right ? In this case, I think this
deserve some explanation in the rlm_ldap documentation, such as:
"Warning, if the LDAP module is not directly referenced to in
authentication section, such as a failover configuration using named
aliases, this setting will be disabled".

-- 
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62

More information about the Freeradius-Users mailing list