Derrick Woo wrote:
Hello Phil,
I've removed "ldap" from the authorize section now, but now it's not even connecting to the ldap server. Am I overlooking something?
Weeellll... I must be honest, I've never actually used it myself (ducks :o) but that's certainly what the source and docs imply. (goes off to try) Ah, the users file *actually* needs to be: DEFAULT Auth-Type := LDAP, Ldap-UserDN := `uid=%{User-Name},RESTOFDN` ...because the authenticate section has ldap as a conditional module: authenticate { Auth-Type LDAP { ldap } } With the final above fixe, this definitely works for me. However, you should be aware of the implications of setting (forcing) Auth-Type in the users file - by forcing it to LDAP unconditionally you will prevent e.g. mschap, eap, etc. working at a later date (this is why it's generally not recommended, but for specific and limited circumstances where you're sure this is what you want, I guess it's ok) You could put the "files" module last in the authorize section, and use: DEFAULT Auth-Type = LDAP, Ldap-... ...which will only set the Auth-Type if it's not already set - then if e.g. mschap or eap match first, ldap won't attempt to sieze the request. [Perhaps someone else could chip in with info about the implications of putting the "ldap" module as a non-conditional in "authenticate" - I was under the impression that all the modules in authenticate should be conditional because only one was ever called, but e.g. digest, pam, unix, eap don't seem to be?]