Re: Freeradius 1.1.0 and rlm_ldap
From futhwo on Thu, 02 Feb 2006:
... All worked fine untill i upgraded FreeRADIUS form 1.0.5 to 1.1.0. From there on i cannot authenticate because the Auth-Type attribute is no more valorized to LDAP by the ldap module during authorize section. ... rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ... So if the Auth-Type LDAP is no more defined,how can i perform authentication against a LDAP server?
I noticed the same symptoms after upgrading 1.0.5 to 1.1.0. Somehow the Auth-Type no longer had a value that would match the Auth-Type LDAP {...} entry in the authenticate section, even though the rlm_ldap successfully completed authorization. ChangeLog didn't mention incompatibilities, debug log with -X wasn't helpful, bug database turned out nothing, and mailing list archive turned up similar futhwo's problem report with no replies. Digging on rlm_ldap source and adding some debug printouts revealed that the Auth-Type wasn't left undefined like the debug message lead me to believe, but its value became the name of a LDAP instance (I'm using two LDAP servers in redundant radius group), which did not match the name of the Auth-Type LDAP {} authenticate section. In my case the solution was to replace the: authenticate { ... Auth-Type LDAP {...} with: authenticate { ... Auth-Type ldap-instance1 { ldap-instance1 } Auth-Type ldap-instance2 { ldap-instance2 } I would guess that futhwo's problem has a similar solution, perhaps replacing Auth-Type LDAP with Auth-Type ldap or giving a name to an instance and using that in the authenticate section. It would be helpful to document explicitly what comments in rlm_ldap.c indicate: * Module should default to LDAP authentication if no Auth-Type * specified. Note that we do this ONLY if configured, AND we * set the Auth-Type to our module name, which allows multiple * ldap instances to work. It wouldn't hurt if the inst->set_auth_type = 0 would be accompanied with a debug log entry, and if the pairadd in: if (inst->set_auth_type && (pairfind(*check_pairs, PW_AUTH_TYPE) == NULL) && request->password && (request->password->attribute == PW_USER_PASSWORD)) pairadd(check_pairs, pairmake("Auth-Type", inst->xlat_name, T_OP_EQ)); would also log the inst->xlat_name. But above all, please document incompatibilities between versions. Mark
Mark Martinec wrote:
It would be helpful to document explicitly what comments in rlm_ldap.c indicate: * Module should default to LDAP authentication if no Auth-Type * specified. Note that we do this ONLY if configured, AND we * set the Auth-Type to our module name, which allows multiple * ldap instances to work.
Please write patches against the documentation and send them to the list. You may also add content to the wiki: http://wiki.freeradius.org/index.php?title=Rlm_ldap
It wouldn't hurt if the inst->set_auth_type = 0 would be accompanied with a debug log entry, and if the pairadd in:
if (inst->set_auth_type && (pairfind(*check_pairs, PW_AUTH_TYPE) == NULL) && request->password && (request->password->attribute == PW_USER_PASSWORD)) pairadd(check_pairs, pairmake("Auth-Type", inst->xlat_name, T_OP_EQ));
would also log the inst->xlat_name.
Then please send a patch instead of ordering the other people what they should do.
But above all, please document incompatibilities between versions.
I think you're rude to complain about a software that you didn't pay for. Keep in mind the following excerpt from the README: FreeRADIUS is the cumulative effort of many years of work by many people, and you've gotten it for free. No one gets paid to work on FreeRADIUS, and no one is getting paid to answer your questions. This is free software, and the only way it gets better is if you contribute work back to the project. -- Nicolas Baradakis
Mark Martinec <Mark.Martinec+radius@ijs.si> wrote:
In my case the solution was to replace the:
authenticate { ... Auth-Type LDAP {...}
Which worked because of a bug in the server. It was a bug, no question.
It would be helpful to document explicitly what comments in rlm_ldap.c indicate:
As always, patches are welcome.
It wouldn't hurt if the inst->set_auth_type = 0 would be accompanied with a debug log entry,
Sure. Do you have a patch? Alan DeKok.
participants (3)
-
Alan DeKok -
Mark Martinec -
Nicolas Baradakis