LDAP-UserDN is not unique per ldap module instance (auth problem when multiple ldap module instances used)

Alan DeKok aland at deployingradius.com
Fri Sep 14 14:14:18 CEST 2018

On Sep 14, 2018, at 8:04 AM, Kostas Zorbadelos <kzorba at otenet.gr> wrote:
> in my current authentication policy, I use 2 instances of the LDAP
> module. The first instance queries the directory in a specific branch
> and gets information used in later checks.
> The other instance is used to authorize the user (and also authenticate
> him in some rare situations) and queries another branch.
> The problem is that when the second LDAP module is used for the
> authentication, it tries to bind with an LDAP-UserDN attribute obtained
> from the first module. I need to rewrite control:LDAP-UserDN for this to
> work. Tracing a bit the source, I saw that LDAP-UserDN is set with the
> '=' operator:
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_ldap/ldap.c#L1216
> Is this by design? I would expect each module instance to have its own
> LDAP-UserDN and use that when used in authentication. Am I missing
> something, or is this something worth of raising a github issue?

  No, each module should have it's own LDAP-UserDN, just like each module has it's own LDAP-Group operator.

  I'll see if I can push a fix.

  Alan DeKok.

More information about the Freeradius-Users mailing list