Questions about ldap authentication, huntgroup and authorize file

Jérôme BERTHIER Jerome.Berthier at inria.fr
Fri Oct 13 13:56:41 CEST 2017 

Le 12/10/2017 à 17:31, Alan DeKok a écrit :
> On Oct 12, 2017, at 10:52 AM, Jérôme BERTHIER <Jerome.Berthier at inria.fr> wrote:
>> Yes thanks you
>> but as far as I see, this syntax does not work inside the file authorize.
>    It's not supposed to work there.  You need to put it into the "default" virtual server.

OK I was confused of your previous message.

>
>> I tried to create a specific module file for a specific ldap instance myldap1 then I called it in the file authorize.
>>
>> In both cases, the module authorize is not validated for starting radiusd :
>> /etc/raddb/mods-config/files/authorize[228]: Parse error (check) for entry DEFAULT: Unknown attribute "myldap1-Ldap-Group"
>> Failed reading /etc/raddb/mods-config/files/authorize
>> /etc/raddb/mods-enabled/files[9]: Instantiation failed for module "files"
>    That should work if the server is configured correctly.
>
>    Again... post the debug output.  ALL of it.

>> I understand that it is possible to use specific ldap instance and to call it to parse group using <myldap>-Ldap-Group but it seems that it is not supported in the file authorize.
>    It is supported.  You may need to fix your configuration.


I found the issue.
The attribute myldap1-Ldap-Group is unknown from the module "authorize" 
because its own module is not yet loaded.

I tried both solutution :
- define the instance "ldap myldap1 {}" in the ldap module file (linked 
as an enabled module)
- define the instance "ldap myldap1 {}" in a new module file amyldap1 ( 
linked as an enabled module). If the module files are loaded following 
alphabet order then this new module should be loaded before the 
authorize module.
By default, It does not work.

So, I tried to call the instance myldap1 in the section instanciate of 
radiusd.conf. It fixed the problem.
Now, I can use these attribute in the file authorize.

Moreover, I will use the section instanciate to define a unique 
redundant pool of ldap servers. I 'm interested in this since a while.


Thanks you very much for your help

Have a nice day

-- 
Jérôme BERTHIER

More information about the Freeradius-Users mailing list