Guillaume Rousse wrote:
I've recently upgraded my freeradius servers from 1.1.7 to 2.0.0,
2.0.3 has been out for a while...
and
I've been hit badly by the change in the handling of LDAP-UserDn attribute, as detailed in http://www.nabble.com/Re%3A-LDAP-Groups-and-EAP-p14886209.html
This was fixed in CVS head, in what will be 2.0.4.
I think this ought to be documented in rlm_ldap documentation (as well as minor other changes, such as the new tls subsection).
The new tls sub-section isn't required. The old-style configuration *should* work.
I also tried to clean up my configuration a little bit. I think a found a bug in the handling of set_auth_type directive. From what I understood, this directive governs the setting of the Auth-Type attribute to 'LDAP' during the authorisation phase. However, whatever its value, it's automatically disabled when launching radius at startup:
Tue Apr 29 14:07:17 2008 : Debug: rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.
Yes... the LDAP module is now aware that you may have *multiple* copies of the LDAP module running.
Here is my autenticate section, using two ldap modules in fail-over: authenticate { Auth-Type LDAP { redundant { ldap1 ldap2
ldap1 != "LDAP".
handled } } }
If I drop failover, everything work as expected. Should I report this as a bug ?
No.
So far, the only workaround I found is to force the Auth-Type attribute in the user file:
Yes. The old behavior was wrong.
But I can't make my mind if it is a good solution or not. According to the comment in default configuration file: "In general, you SHOULD NOT set the Auth-Type attribute".
In general. In some cases, it works. In this case, the knowledge that you want to do LDAP authentication is buried inside of a "redundant" section.
According to Alan answer in http://www.nabble.com/Re%3A-Force-Auth-Type-p15069162.html "The LDAP module setting Auth-Type to LDAP is a bit of a hack."
Yes. If you use the LDAP server as a *database*, then there's no need to set Auth-Type. The FreeRADIUS just figures it out. The only reasons to use Auth-Type = LDAP is when you're using LDAP as an *authentication* server, not as a database.
Which one should I believe ?
All of them. There are generalizations, which are usually true. In addition, there are specific corner cases where the generalizations aren't true. Alan deKok.