"Tarun Bhushan" <[EMAIL PROTECTED]> wrote:
> I had noted this and saw that during module instantiation, a per
> instance ldap_groupcmp is registered. However, this is done for each
> separate individual instance.
Yes.
> I would expect to see a ldap_groupcmp registered to the higher levels
> (ldap-basic and ldap-special) rather than it what it really does -
Why?
The problem is that the "ldap_groupcmp" registration is done when
the module is initialized, and the module has no way of knowing about
"redundant" sections in the configuration files.
Add to that the following problems:
- "redundant" sections may have multiple *kinds* of modules,
and not just "ldap". e.g. "ldap, sql, files, etc."
- the same module may be used in a "redundant" section in
"authorize", and not in a "redundant" section in "authenticate".
It's just too difficult to know what is the "right" thing to do.
> autztype ldap-basic {
Please use "Autz-Type", the "autztype" name is deprecated, and may
be removed in a future release.
> Because of the latter behaviour, how do I then nominate a per
> instance LDAP-Group attribute to use in the 'users' file, as the
> DEFAULT statements in the latter have to be at a higher level (as
> shown below), to make configurable failover work:
Maybe we need sections for callbacks, where the callback code can
package multiple modules together in a redundant section.
e.g. "%{ldap-special: ....}" could mean "try %{ldap1-special...},
and if that doesn't work, try %{ldap2-special...}
I'm not sure how it would work for LDAP-Group, but it may help for
other things.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
