LDAP-UserDN is not unique per ldap module instance (auth problem when multiple ldap module instances used)
Kostas Zorbadelos
kzorba at otenet.gr
Mon Sep 17 12:57:58 CEST 2018
Hi Alan,
I confirm your fixes work now. Authentication succeeds when you use
multiple instances of the ldap module, provided you use per-instance
LDAP-UserDn.
I think this should be made explicit in mods-available/ldap in commented
documentation. I see you put
# Name of the attribute that contains the user DN.
# The default name is LDAP-UserDn.
#
# If you have multiple LDAP instances, you should
# change this configuration item to:
#
# ${.:instance}-LDAP-UserDn
#
# That change allows the modules to set their own
# User DN, and to not conflict with each other.
#
user_dn = "LDAP-UserDn"
in the group {} section. I think this should be moved in the
top level of the ldap module (or can you have user_dn in the group as
well)?
In my case I added
user_dn = ${.:instance}-LDAP-UserDn
in the top-level section of my ldap module instance (figured it out from
the code).
Best regards,
Kostas
On Δευ, Σεπ 17 2018 at 01:53:26 πμ, Alan DeKok <aland at deployingradius.com> wrote:
> On Sep 16, 2018, at 4:05 PM, Kostas Zorbadelos <kzorba at otenet.gr> wrote:
>> tested with the latest 3.0.x branch, authentication does not work. I
>> think some more work has to be done in the patch. From what I
>> understand, mod_authenticate() in rlm_ldap.c calls rlm_ldap_find_user()
>> that I see gets directly LDAP-UserDN and not the module specific
>> instance
>>
>> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_ldap/ldap.c#L1104
>
> I've pushed a fix, thanks.
>
> Alan DeKok.
>
--
Kostas Zorbadelos http://gr.linkedin.com/in/kzorba
More information about the Freeradius-Users
mailing list