Configuration trouble with fail-over
Guillaume Rousse
Guillaume.Rousse at inria.fr
Tue Apr 29 14:22:04 CEST 2008
Hello list.
I've recently upgraded my freeradius servers from 1.1.7 to 2.0.0, and
I've been hit badly by the change in the handling of LDAP-UserDn
attribute, as detailed in
http://www.nabble.com/Re%3A-LDAP-Groups-and-EAP-p14886209.html
I think this ought to be documented in rlm_ldap documentation (as well
as minor other changes, such as the new tls subsection).
I also tried to clean up my configuration a little bit. I think a found
a bug in the handling of set_auth_type directive. From what I
understood, this directive governs the setting of the Auth-Type
attribute to 'LDAP' during the authorisation phase. However, whatever
its value, it's automatically disabled when launching radius at startup:
Tue Apr 29 14:07:17 2008 : Debug: rlm_ldap: Over-riding set_auth_type,
as we're not listed in the "authenticate" section.
Here is my autenticate section, using two ldap modules in fail-over:
authenticate {
Auth-Type LDAP {
redundant {
ldap1
ldap2
handled
}
}
}
If I drop failover, everything work as expected. Should I report this as
a bug ?
So far, the only workaround I found is to force the Auth-Type attribute
in the user file:
DEFAULT ldap1-LDAP-Group == admins, Auth-Type := LDAP, Huntgroup-Name ==
AdminNet
Service-Type = Login,
Cisco-AVPair = "shell:priv-lvl=15"
DEFAULT ldap2-LDAP-Group == admins, Auth-Type := LDAP, Huntgroup-Name ==
AdminNet
Service-Type = Login,
Cisco-AVPair = "shell:priv-lvl=15"
But I can't make my mind if it is a good solution or not. According to
the comment in default configuration file: "In general, you SHOULD NOT
set the Auth-Type attribute". According to Alan answer in
http://www.nabble.com/Re%3A-Force-Auth-Type-p15069162.html
"The LDAP module setting Auth-Type to LDAP is a bit of a hack."
Which one should I believe ?
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
More information about the Freeradius-Users
mailing list