Issue with PAP/LDAP authentication after upgrade FR 2.0.5 to FR 2.1.1

John Dennis jdennis at
Thu Dec 4 02:47:03 CET 2008

John Dennis wrote:
> Thibault Le Meur wrote:
>> T
>> I've searched and finally found out what occured. I'm using Fedora 
>> Core 9 and after the FR package update here is what occured: a lot of 
>> files including module files from the new RPM package were added as 
>> /etc/raddb/modules/<modulename>.rpmnew
>> So at startup here is what is loaded:
>> ...
>> including configuration file /etc/raddb/modules/pap.rpmnew
>> ...
>> including configuration file /etc/raddb/modules/pap
>> ...
>> Most of my setup was working because I use specific instance of the 
>> modules such as "ldap-mycompany" and not the default "ldap" name. 
>> However, I use the std name for the pap module... I may change this 
>> in the future to avoid such issues after upgrade.
>> I don't know if I should report this to the package maintainer or not.
>> What do you think ?
> I'm here :-)
> The files under /etc/raddb/modules are configuration files. 
> Configuration files by definition are available for editing. It is 
> usually considered bad practice for rpm during an upgrade to overwrite 
> user modified configuration files. If rpm thinks a configuration file 
> has been modified instead of overwriting the configuration file with 
> the version from the new package it instead lays a new copy of that 
> file down with the .rpmnew extension. It's your job as a system 
> administrator to pay attention to the presence of .rpmnew files, 
> during installation it will warn you such files were created which is 
> your signal to investigate. If you miss the warnings you should still 
> periodically check under /etc for the presence of .rpmnew files and 
> .rpmsave by the same token.
> Now having said that, it's entirely possible there is a packaging 
> problem and the .rpmnew files should not have been created, I'll go 
> off and take a look at that issue. My recollection is that rpm is 
> smart enough to detect the case where the old version of a config file 
> differs from the new version but the old version was not locally 
> edited. I believe this is case you're describing. In this instance rpm 
> should replace the config files and not generate a .rpmnew. Did you 
> edit the pap config file in any manner?
I've looked at the packaging with respect to how the .rpmnew files are 
being handled and I believe everything is correct. What is probably 
missing is documentation on this so I've updated the FreeRADIUS Red Hat 
FAQ ( and added a section 
describing what happens to configuration files during a RPM upgrade 

FWIW, I also updated the FAQ to cover the some of the cases which 
confused a recent user who was attemping to build the RPM's locally on 

John Dennis <jdennis at>

More information about the Freeradius-Users mailing list