From futhwo on Thu, 02 Feb 2006:
... All worked fine untill i upgraded FreeRADIUS form 1.0.5 to 1.1.0. From there on i cannot authenticate because the Auth-Type attribute is no more valorized to LDAP by the ldap module during authorize section. ... rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ... So if the Auth-Type LDAP is no more defined,how can i perform authentication against a LDAP server?
I noticed the same symptoms after upgrading 1.0.5 to 1.1.0. Somehow the Auth-Type no longer had a value that would match the Auth-Type LDAP {...} entry in the authenticate section, even though the rlm_ldap successfully completed authorization. ChangeLog didn't mention incompatibilities, debug log with -X wasn't helpful, bug database turned out nothing, and mailing list archive turned up similar futhwo's problem report with no replies. Digging on rlm_ldap source and adding some debug printouts revealed that the Auth-Type wasn't left undefined like the debug message lead me to believe, but its value became the name of a LDAP instance (I'm using two LDAP servers in redundant radius group), which did not match the name of the Auth-Type LDAP {} authenticate section. In my case the solution was to replace the: authenticate { ... Auth-Type LDAP {...} with: authenticate { ... Auth-Type ldap-instance1 { ldap-instance1 } Auth-Type ldap-instance2 { ldap-instance2 } I would guess that futhwo's problem has a similar solution, perhaps replacing Auth-Type LDAP with Auth-Type ldap or giving a name to an instance and using that in the authenticate section. It would be helpful to document explicitly what comments in rlm_ldap.c indicate: * Module should default to LDAP authentication if no Auth-Type * specified. Note that we do this ONLY if configured, AND we * set the Auth-Type to our module name, which allows multiple * ldap instances to work. It wouldn't hurt if the inst->set_auth_type = 0 would be accompanied with a debug log entry, and if the pairadd in: if (inst->set_auth_type && (pairfind(*check_pairs, PW_AUTH_TYPE) == NULL) && request->password && (request->password->attribute == PW_USER_PASSWORD)) pairadd(check_pairs, pairmake("Auth-Type", inst->xlat_name, T_OP_EQ)); would also log the inst->xlat_name. But above all, please document incompatibilities between versions. Mark