LDAP and module messages

[Alan DeKok]

On May 27, 2025, at 11:15 AM, thomas <thomas.nodon at gmail.com> wrote:
> I believe in v2, it was due to our config, which set Auth-Type to
> ldap, and since it failed to retrieve a non existent user from ldap it
> would log the ldap failure error.
> 
> For our new config, we refrained from setting the Auth-Type to ldap as
> recommended by the documentation.

  In most cases, the LDAP server can be queried, and can return the password to FreeRADIUS.

  If the LDAP server can't (or won't) do that, then you have to set Auth-Type to LDAP.

> I could not find which attribute/variable to update with my message,
> since there is no failure in the authorize santza.

  You can add an attribute to raddb/dictionary, and then set a value in an "update" section.

> For now I have made the following linelog.
> 
>        linelog log_ldap_user_notfound {
>                filename = ${logdir}/radius.log
>                permissions = 0640
>                format = "%t : Login incorrect: (ldap: user
> %{User-Name} not found) Client-Mac = %{Calling-Station-Id}"
>        }
> 
> And added the following in the authorize santza after ldap.
> 
>      ldap
>      if (notfound){
>              log_ldap_user_notfound
>      }

  That works, too.

> But this outputs an extra line in the radius.log since we use the auth
> = yes radius.conf.
> 
> If there is better way to do this let know, in the mean time if I find
> a better solution I will post it to the mailing list.

  See raddb/radiusd.conf, and the "log" section.  You can edit the "msg_goodpass" configuration item to include more text, or another attribute.

  Alan DeKok.