Need some help with Access-Reject messages in upgrade from FreeRadius1.1.0 to FreeRadius 2.0.5

Wed Oct 29 00:41:44 CET 2008

Alan DeKok wrote:
> Adam Bultman wrote:
>   
>> I decided it would be easier (in the long run) to simply start with a
>> default freeRadius 2.0.5 config file, and then adjust it to match our
>> setup. This has so far been going well, except now I've run into a
>> problem where variables in my users file are not being expanded.
>>     
>
>   I suggest using 2.1.1, or the "stable" tree.   See git.freeradius.org.
>
>   
Done; I've compiled and installed 2.1.1 on my test server.

>> Example from the user's file:
>> DEFAULT Huntgroup-Name == dsl, serveriron-Ldap-Group == dsl10m,
>> User-Profile := "uid=dsl10m,ou
>> =profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN :=
>> `uid=%{User-Name},ou=dsl,dc=domain
>> ,dc=com`
>>         Fall-Through = no
>>     
>
>   This won't work because the "users" file doesn't dynamically expand
> everything.  I suggest using "unlang":
>
> 	if ((Huntgroup-Nmae == "dsl") && (serveridon... == ...)) {
> 		update control {
> 			User-Profile := "uid=..."
> 			LDAP-UserDN := "uid=%{User-Name},ou=..."
> 		}
> 	}
>
>   That will cause the %{User-Name} to be expanded properly.
>
>   

OK; so a few things:

1. I've put my if (..) stuff inside my sites-enabled/ conf file, and
groups are working again (yeah!).  My users file is a lot more skeletal now.

2.  I've read the docs on this now (what precious little there is) about
the Ldap-Group stuff in the users file, and I'm still not completely
understanding it.  If I have three LDAP servers, ldap1, ldap2, and
ldap3, and I have in my users file this:

DEFAULT Huntgroup-Name == dsl, Ldap-Group == dsl10m

Then when I try to authenticate, the server can't find my profile
(despite having the Huntgroup stuff in my config, as mentioned in #1). 
It searches for group membership, but it's using some default template
(which is NOT in modules/ldap - it's nowhere!) and doesn't find a proper
group membership filter, and fails.   If I put this:

DEFAULT Huntgroup-Name == dsl, ldap1-Ldap-Group == dsl10m

Then it *does* use the group membership stuff in the ldap stanza for
ldap1 (which I've placed in modules/ldap_cluster) .   Of course, if I
say, bring down the server for ldap1, all authentication breaks.    The
same thing applies if I do ldap2-Ldap-Group or ldap3-Ldap-Group.

SO the question: Is there a way to make a default group membership
filter without having to create DEFAULT lines in the users file for each
of my ldap servers?    in radiusd.conf, I have redundant-load-balance {}
stanzas for my ldap servers, but I can't use the ldap "cluster" I create
in there in my users file.

Adam