Alan DeKok a écrit :
I think this ought to be documented in rlm_ldap documentation (as well as minor other changes, such as the new tls subsection).
The new tls sub-section isn't required. The old-style configuration *should* work. It does. But clarification between what's old and what's new syntax doesn't harm.
I also tried to clean up my configuration a little bit. I think a found a bug in the handling of set_auth_type directive. From what I understood, this directive governs the setting of the Auth-Type attribute to 'LDAP' during the authorisation phase. However, whatever its value, it's automatically disabled when launching radius at startup:
Tue Apr 29 14:07:17 2008 : Debug: rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.
Yes... the LDAP module is now aware that you may have *multiple* copies of the LDAP module running. I guess you mean 'not aware'
Here is my autenticate section, using two ldap modules in fail-over: authenticate { Auth-Type LDAP { redundant { ldap1 ldap2
ldap1 != "LDAP". Right, but that seems to be only a syntax difference, refering to a named instance of the LDAP module. One would expect the code to be more robust, or at least the problem documented somewhere.
[..]
Which one should I believe ?
All of them. There are generalizations, which are usually true. In addition, there are specific corner cases where the generalizations aren't true. I need the second solution (ldap as an autentication server), so I need to have Auth-Type set.
If I understand correctly, there no way to help the rlm_module understand I'm using it for autentication, as I use a complex synta, so I have to set it up explicitely, right ? In this case, I think this deserve some explanation in the rlm_ldap documentation, such as: "Warning, if the LDAP module is not directly referenced to in authentication section, such as a failover configuration using named aliases, this setting will be disabled". -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62