Comments inline below.... > > I would expect to see a ldap_groupcmp registered to the > higher levels > > (ldap-basic and ldap-special) rather than it what it really does - > > Why? > > The problem is that the "ldap_groupcmp" registration is done when > the module is initialized, and the module has no way of knowing about > "redundant" sections in the configuration files. > > Add to that the following problems: > > - "redundant" sections may have multiple *kinds* of modules, > and not just "ldap". e.g. "ldap, sql, files, etc." > > - the same module may be used in a "redundant" section in > "authorize", and not in a "redundant" section in "authenticate". > > It's just too difficult to know what is the "right" thing to do.
I see your point. However, how does FR select which instance needs to handle this request right at the start of handling the request? In the debug log, the first thing I can see with respect to the first authorize part of handling the request is "rlm_ldap: Entering ldap_groupcmp()". >From what I can see, the modcall code has already selected the instance at this stage, as "instance" is an input parameter to this function. The first instance (and thus a particular ldap_groupcmp) is apparently selected before the autz-type is processed, because, once the latter is done, the correct instance is chosen (judging from the connection to the right LDAP port). It is the first that appears to be a "generic" choice. In my case, as most parameters are the same (BaseDN, LDAP servers, etc), with only the ports, attrmap and password_attribute being different, perhaps it is the other parameters that are being used to make the choice. > > > autztype ldap-basic { > > Please use "Autz-Type", the "autztype" name is deprecated, and may > be removed in a future release. This does not appear to work. Within the 'users' file, Autz-Type is fine. However, when 'autz-type' is used instead of 'autztype' used within the 'Authorize' section in radiusd.conf, radiusd reports an error while processing the 'users' file (Unexpected trailing comma in check item list for entry DEFAULT), which goes away when 'autztype' is used. Also, there is also a corresponding 'authtype' in the 'Authenticate' section too, not 'auth-type'. > > > Because of the latter behaviour, how do I then nominate a per > > instance LDAP-Group attribute to use in the 'users' file, as the > > DEFAULT statements in the latter have to be at a higher level (as > > shown below), to make configurable failover work: > > Maybe we need sections for callbacks, where the callback code can > package multiple modules together in a redundant section. > Wouldn't these callback sections need to be within/related-to the corresponding higher level sections (authorize, authenticate, etc)? NOTICE This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html