redundant LDAP-Group

Alexander Clouter alex at digriz.org.uk
Thu Dec 2 12:54:28 CET 2010 

Hi,

I know this has been covered in the archives, and the news is generally 
not good, but my users file currently looks like:
----
DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis, ldap_login1-LDAP-Group == it-switch-admin
        Service-Type = Administrative-User
DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis, ldap_login2-LDAP-Group == it-switch-admin
        Service-Type = Administrative-User
DEFAULT NAS-Identifier == switch, Huntgroup-Name == cisco, NAS-Port-Type == Virtual, ldap_login1-LDAP-Group == it-switch-admin
        Service-Type = NAS-Prompt-User,
        Cisco-AVPair = "shell:priv-lvl=15"
DEFAULT NAS-Identifier == switch, Huntgroup-Name == cisco, NAS-Port-Type == Virtual, ldap_login2-LDAP-Group == it-switch-admin
        Service-Type = NAS-Prompt-User,
        Cisco-AVPair = "shell:priv-lvl=15"
DEFAULT NAS-Identifier == switch, Auth-Type := Reject
----

In my global configuration I have:
----
instantiate {
	ldap_login1
        ldap_login2
        redundant-load-balance ldap-login {
                ldap_login1
                ldap_login2
        }

	ldap_lanwarden1
        ldap_lanwarden2
        redundant-load-balance ldap-lanwarden {
                ldap_lanwarden1
                ldap_lanwarden2
	}
}
----

It would be really nice to fold those duplicate LDAP-Group lines into 
'ldap_login-LDAP-Group', however alas FreeRADIUS does not love me:
----
/etc/freeradius/LOCAL/users-login[1]: Parse error (check) for entry DEFAULT: Invalid octet string "it-switch-admin" for attribute name "ldap_login-LDAP-Group"
Errors reading /etc/freeradius/LOCAL/users-login
/etc/freeradius/LOCAL/modules.conf[1]: Instantiation failed for module "files-login"
/etc/freeradius/sites-enabled/login[72]: Failed to load module "files-login".
/etc/freeradius/sites-enabled/login[35]: Errors parsing authorize section.
----

This 'redundant' LDAP-Group problem often crops up, unfortunately it is 
way above my head to resolve.

Another "moon-on-a-stick" feature is that I have two sets of LDAP 
servers configured[1], in my authorise section I have:
----
authorize {
	...

	ldap-login
        if (!ok) {
        	reject
        }

        files

	...
}
----

If I instead simply use 'LDAP-Group' in the users file, 'ldap-lanwarden' 
is invoked (rather than me expecting a contination of the last used LDAP 
server)...  Is this a bug or a 'feature'?

Cheers

[1] ldap_login[12] -> ldap_login, ldap_lanwarden[12] -> ldap_lanwarden

-- 
Alexander Clouter
.sigmonster says: An idea is not responsible for the people who believe in it.

More information about the Freeradius-Users mailing list