Configuration trouble with fail-over

Alan DeKok aland at deployingradius.com
Tue Apr 29 14:42:51 CEST 2008 

Guillaume Rousse wrote:
> I've recently upgraded my freeradius servers from 1.1.7 to 2.0.0,

  2.0.3 has been out for a while...
>
 and
> I've been hit badly by the change in the handling of LDAP-UserDn
> attribute, as detailed in
> http://www.nabble.com/Re%3A-LDAP-Groups-and-EAP-p14886209.html

  This was fixed in CVS head, in what will be 2.0.4.

> I think this ought to be documented in rlm_ldap documentation (as well
> as minor other changes, such as the new tls subsection).

  The new tls sub-section isn't required.  The old-style configuration
*should* work.

> I also tried to clean up my configuration a little bit. I think a found
> a bug in the handling of set_auth_type directive. From what I
> understood, this directive governs the setting of the Auth-Type
> attribute to 'LDAP' during the authorisation phase. However, whatever
> its value, it's automatically disabled when launching radius at startup:
> 
> Tue Apr 29 14:07:17 2008 : Debug: rlm_ldap: Over-riding set_auth_type,
> as we're not listed in the "authenticate" section.

  Yes... the LDAP module is now aware that you may have *multiple*
copies of the LDAP module running.

> Here is my autenticate section, using two ldap modules in fail-over:
> authenticate {
>         Auth-Type LDAP {
>                 redundant {
>                         ldap1
>                         ldap2

  ldap1 != "LDAP".

>                         handled
>                 }
>         }
> }
> 
> If I drop failover, everything work as expected. Should I report this as
> a bug ?

  No.

> So far, the only workaround I found is to force the Auth-Type attribute
> in the user file:

  Yes.  The old behavior was wrong.

> But I can't make my mind if it is a good solution or not. According to
> the comment in default configuration file: "In general, you SHOULD NOT
> set the Auth-Type attribute".

  In general.  In some cases, it works.  In this case, the knowledge
that you want to do LDAP authentication is buried inside of a
"redundant" section.

> According to Alan answer in
> http://www.nabble.com/Re%3A-Force-Auth-Type-p15069162.html
> "The LDAP module setting Auth-Type to LDAP is a bit of a hack."

  Yes.  If you use the LDAP server as a *database*, then there's no need
to set Auth-Type.  The FreeRADIUS just figures it out.

  The only reasons to use Auth-Type = LDAP is when you're using LDAP as
an *authentication* server, not as a database.

> Which one should I believe ?

  All of them.  There are generalizations, which are usually true.  In
addition, there are specific corner cases where the generalizations
aren't true.

  Alan deKok.

More information about the Freeradius-Users mailing list