"Tarun Bhushan" <[EMAIL PROTECTED]> wrote: > I had noted this and saw that during module instantiation, a per > instance ldap_groupcmp is registered. However, this is done for each > separate individual instance.
Yes. > I would expect to see a ldap_groupcmp registered to the higher levels > (ldap-basic and ldap-special) rather than it what it really does - Why? The problem is that the "ldap_groupcmp" registration is done when the module is initialized, and the module has no way of knowing about "redundant" sections in the configuration files. Add to that the following problems: - "redundant" sections may have multiple *kinds* of modules, and not just "ldap". e.g. "ldap, sql, files, etc." - the same module may be used in a "redundant" section in "authorize", and not in a "redundant" section in "authenticate". It's just too difficult to know what is the "right" thing to do. > autztype ldap-basic { Please use "Autz-Type", the "autztype" name is deprecated, and may be removed in a future release. > Because of the latter behaviour, how do I then nominate a per > instance LDAP-Group attribute to use in the 'users' file, as the > DEFAULT statements in the latter have to be at a higher level (as > shown below), to make configurable failover work: Maybe we need sections for callbacks, where the callback code can package multiple modules together in a redundant section. e.g. "%{ldap-special: ....}" could mean "try %{ldap1-special...}, and if that doesn't work, try %{ldap2-special...} I'm not sure how it would work for LDAP-Group, but it may help for other things. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html