Guillaume Rousse wrote: > I've recently upgraded my freeradius servers from 1.1.7 to 2.0.0,
2.0.3 has been out for a while... > and > I've been hit badly by the change in the handling of LDAP-UserDn > attribute, as detailed in > http://www.nabble.com/Re%3A-LDAP-Groups-and-EAP-p14886209.html This was fixed in CVS head, in what will be 2.0.4. > I think this ought to be documented in rlm_ldap documentation (as well > as minor other changes, such as the new tls subsection). The new tls sub-section isn't required. The old-style configuration *should* work. > I also tried to clean up my configuration a little bit. I think a found > a bug in the handling of set_auth_type directive. From what I > understood, this directive governs the setting of the Auth-Type > attribute to 'LDAP' during the authorisation phase. However, whatever > its value, it's automatically disabled when launching radius at startup: > > Tue Apr 29 14:07:17 2008 : Debug: rlm_ldap: Over-riding set_auth_type, > as we're not listed in the "authenticate" section. Yes... the LDAP module is now aware that you may have *multiple* copies of the LDAP module running. > Here is my autenticate section, using two ldap modules in fail-over: > authenticate { > Auth-Type LDAP { > redundant { > ldap1 > ldap2 ldap1 != "LDAP". > handled > } > } > } > > If I drop failover, everything work as expected. Should I report this as > a bug ? No. > So far, the only workaround I found is to force the Auth-Type attribute > in the user file: Yes. The old behavior was wrong. > But I can't make my mind if it is a good solution or not. According to > the comment in default configuration file: "In general, you SHOULD NOT > set the Auth-Type attribute". In general. In some cases, it works. In this case, the knowledge that you want to do LDAP authentication is buried inside of a "redundant" section. > According to Alan answer in > http://www.nabble.com/Re%3A-Force-Auth-Type-p15069162.html > "The LDAP module setting Auth-Type to LDAP is a bit of a hack." Yes. If you use the LDAP server as a *database*, then there's no need to set Auth-Type. The FreeRADIUS just figures it out. The only reasons to use Auth-Type = LDAP is when you're using LDAP as an *authentication* server, not as a database. > Which one should I believe ? All of them. There are generalizations, which are usually true. In addition, there are specific corner cases where the generalizations aren't true. Alan deKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html