802.1x, EAP and LDAP
Alan DeKok
aland at deployingradius.com
Tue Mar 4 10:45:37 CET 2008
Mike Richardson wrote:
> Looks like something odd is going on. I've removed freeradius and
> reinstalled it. I added the LDAP config and uncommented the various 'ldap' lines,
> see config.
You did a bit more than that. That additional effort is where the
problem is coming from.
> Defintiely uncommented:
>
> Auth-Type LDAP {
> uni_ldap
> }
There is no "uni_ldap" line in the default configuration. It's
"ldap". And yes, it makes a difference, for reasons that will become
clear later.
> radiusd.conf:
> ldap original {
> server = "ldap.your.domain"
> basedn = "o=My Org,c=UA"
...
> ldap uni_ldap {
> server = "UK-AC-MAN-MTEST"
> identity = "cn=radiusadmin,ou=dir,o=ac,c=uk"
...
Um... no. When I said "uncomment and configure the ldap module", it
did NOT mean "re-name the existing ldap module, and add a new one with a
different name".
The extra work you're doing is breaking the server. Stop it. Just
un-comment the original ldap module, and configure it. Don't re-name
it. Don't add a new ldap module.
> /usr/sbin/freeradius -X output:
...
> Module: Instantiated ldap (uni_ldap)
The module you created is called "uni_ldap", not "ldap". Hence the
confusion. If you had left it named "ldap", it would have Just Worked.
Or, if you changed the authenticate section to:
authenticate {
...
Auth-Type uni_ldap {
uni_ldap
}
...
}
Then it would also have worked. See the comments on module instance
names at the top of the "modules" section in "radiusd.conf". If you
create another instance of the LDAP module, then that instance is NOT
named "ldap". You MUST use it's instance name everywhere.
Again, just un-commenting and configuring the LDAP references in
radiusd.conf would have made this work. The extra effort you put into
it *broke* the configuration.
When I say "just un-comment and configure", I REALLY MEAN "just
un-comment and configure".
Alan DeKok.
More information about the Freeradius-Users
mailing list