New LDAP module in "master"

Peter Lambrechtsen peter at
Tue Nov 13 21:02:43 CET 2012


We use the eDir module within FreeRadius quite heavily so wouldn't want to
loose that functionality.

If you have a RHEL (or Centos), SLES or Solaris instance then it's pretty
straight forward how to test if the eDirectory Universal Password
functionality is functional or not.  You can easily download eDirectory
from and I can help with the few steps required to get
a working instance after that.

the ldap.attrmap is also quite useful externalised as a separate file
rather than being part of the specific LDAP module configuration.  In our
case we run multiple instances of the LDAP Module depending on the path you
took to get to the FreeRadius instance.  Some of these paths have the same
LDAP -> VSA Attribute mapping but have different LDAP Servers and Base
DN/Filters we search on, others have slightly different ones.  So we
reference the same ldap.attrmap against different module instances.
Not a biggie either way as we would just duplicate the mapping across the
different instances, but I can see the rationale from having everything
inside the single module configuration file.

Feel free to email me off list if you wanted further details about how to
make eDir go.



On Wed, Nov 14, 2012 at 2:48 AM, Alan DeKok <aland at>wrote:

>   I've re-written the LDAP module in "master".  The code is simpler,
> cleaner, and easier to understand.
>   It is largely compatible in function with the old module, with the
> following differences:
> - the eDirectory code has been removed.  I don't run eDir, and I can't
>   test it.  Patches to re-add it are welcome
> - the module uses the new connection pool API.  As a result, its
>   configuration is more in line with the rest of the server
> - the config items have been reorganized to make more sense.
>   The names are similar, but they're grouped into sections
>   I've tested it against a number of LDAP servers.  It seems to be
> stable, and performs at 6K queries per second in sustained load.  The
> old module was much less than that.
>   The new connection pool also means that the module can re-use
> connections in more situations.  Previously, the module would close and
> then re-open connections many times.  Now, it does so much less often.
>   The next steps are:
> - add eDir support (if people need it)
> - move "ldap.attrmap" to the module configuration.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Devel mailing list