LDAP-UserDN is not unique per ldap module instance (auth problem when multiple ldap module instances used)

Kostas Zorbadelos kzorba at otenet.gr
Mon Sep 17 12:57:58 CEST 2018

Hi Alan,

I confirm your fixes work now. Authentication succeeds when you use
multiple instances of the ldap module, provided you use per-instance
I think this should be made explicit in mods-available/ldap in commented
documentation. I see you put

	#  Name of the attribute that contains the user DN.
	#  The default name is LDAP-UserDn.
	#  If you have multiple LDAP instances, you should
	#  change this configuration item to:
	#	${.:instance}-LDAP-UserDn
	#  That change allows the modules to set their own
	#  User DN, and to not conflict with each other.
	user_dn = "LDAP-UserDn"

in the group {} section. I think this should be moved in the 
top level of the ldap module (or can you have user_dn in the group as

In my case I added

user_dn = ${.:instance}-LDAP-UserDn

in the top-level section of my ldap module instance (figured it out from
the code).

Best regards,

On Δευ, Σεπ 17 2018 at 01:53:26 πμ, Alan DeKok <aland at deployingradius.com> wrote:

> On Sep 16, 2018, at 4:05 PM, Kostas Zorbadelos <kzorba at otenet.gr> wrote:
>> tested with the latest 3.0.x branch, authentication does not work. I
>> think some more work has to be done in the patch. From what I
>> understand, mod_authenticate() in rlm_ldap.c calls rlm_ldap_find_user()
>> that I see gets directly LDAP-UserDN and not the module specific
>> instance 
>> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_ldap/ldap.c#L1104
>   I've pushed a fix, thanks.
>   Alan DeKok.

Kostas Zorbadelos	http://gr.linkedin.com/in/kzorba		

More information about the Freeradius-Users mailing list