On Sep 14, 2018, at 8:04 AM, Kostas Zorbadelos <kzorba@otenet.gr> wrote:
in my current authentication policy, I use 2 instances of the LDAP module. The first instance queries the directory in a specific branch and gets information used in later checks. The other instance is used to authorize the user (and also authenticate him in some rare situations) and queries another branch.
The problem is that when the second LDAP module is used for the authentication, it tries to bind with an LDAP-UserDN attribute obtained from the first module. I need to rewrite control:LDAP-UserDN for this to work. Tracing a bit the source, I saw that LDAP-UserDN is set with the '=' operator:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_...
Is this by design? I would expect each module instance to have its own LDAP-UserDN and use that when used in authentication. Am I missing something, or is this something worth of raising a github issue?
No, each module should have it's own LDAP-UserDN, just like each module has it's own LDAP-Group operator. I'll see if I can push a fix. Alan DeKok.