Problem with LDAP module in 2.0.3 -- Ldap-UserDn unavailable
Jason Alderfer
jha2 at emu.edu
Wed Apr 9 21:11:18 CEST 2008
I'm testing upgrading from 1.1.7 to 2.0.3 and have run into a problem with
the LDAP module. The problem appears in 2 places. First, I'm using the
--with-edir option so I have
password_attribute = nspmPassword
and
edir_account_policy_check = yes
set. However, in 2.0.3, when I set "edir_account_policy_check = yes", I
get this error:
+- entering group post-auth
rlm_ldap: User's FQDN not in config items list.
++[ldap] returns fail
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
If I don't set edir_account_policy_check, then authentication is
successful, but the second problem shows up. A little background:
In 1.1.7 I'm setting VLANs via the 'users' file like this:
DEFAULT Ldap-UserDn =~ "ou=is,ou=n,o=emu"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = 3
and I've tried this in 2.0.3, but I've also tried unlang
if (Ldap-UserDn =~ /ou=is,ou=n,o=emu/i) {
update reply {
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "IEEE-802"
Tunnel-Private-Group-Id := 3
}
}
Neither of these work in 2.0.3. The VLAN does not get set. Files returns
noop, and unlang shows in debug output
++? if (Ldap-UserDn =~ /ou=is,ou=n,o=emu/i)
(Attribute Ldap-UserDn was not found)
I did some digging and I think I know why this is. In rlm_ldap.c
beginning at line 1306 is
/*
* Adding new attribute containing DN for LDAP object associated with
* given username
*/
pairadd(check_pairs, pairmake("Ldap-UserDn", user_dn, T_OP_EQ));
However, in 1.1.7 the code is
pairadd(&request->packet->vps, pairmake("Ldap-UserDn", user_dn, T_OP_EQ));
If I add this line to 2.0.3 just after the existing pairadd line and
recompile, then everything just works -- edir policy check works and I can
set VLANs using files module or unlang.
Is this a bug in 2.0.3 or am I missing something in my new config file
that would make the Ldap-UserDn available?
Jason
More information about the Freeradius-Users
mailing list