Comments inline below....
> > I would expect to see a ldap_groupcmp registered to the
> higher levels
> > (ldap-basic and ldap-special) rather than it what it really does -
>
> Why?
>
> The problem is that the "ldap_groupcmp" registration is done when
> the module is initialized, and the module has no way of knowing about
> "redundant" sections in the configuration files.
>
> Add to that the following problems:
>
> - "redundant" sections may have multiple *kinds* of modules,
> and not just "ldap". e.g. "ldap, sql, files, etc."
>
> - the same module may be used in a "redundant" section in
> "authorize", and not in a "redundant" section in "authenticate".
>
> It's just too difficult to know what is the "right" thing to do.
I see your point. However, how does FR select which instance needs to
handle this request right at the start of handling the request? In the
debug log, the first thing I can see with respect to the first authorize
part of handling the request is "rlm_ldap: Entering ldap_groupcmp()".
>From what I can see, the modcall code has already selected the instance
at this stage, as "instance" is an input parameter to this function. The
first instance (and thus a particular ldap_groupcmp) is apparently
selected before the autz-type is processed, because, once the latter is
done, the correct instance is chosen (judging from the connection to the
right LDAP port). It is the first that appears to be a "generic" choice.
In my case, as most parameters are the same (BaseDN, LDAP servers, etc),
with only the ports, attrmap and password_attribute being different,
perhaps it is the other parameters that are being used to make the
choice.
>
> > autztype ldap-basic {
>
> Please use "Autz-Type", the "autztype" name is deprecated, and may
> be removed in a future release.
This does not appear to work. Within the 'users' file, Autz-Type is
fine. However, when 'autz-type' is used instead of 'autztype' used
within the 'Authorize' section in radiusd.conf, radiusd reports an error
while processing the 'users' file (Unexpected trailing comma in check
item list for entry DEFAULT), which goes away when 'autztype' is used.
Also, there is also a corresponding 'authtype' in the 'Authenticate'
section too, not 'auth-type'.
>
> > Because of the latter behaviour, how do I then nominate a per
> > instance LDAP-Group attribute to use in the 'users' file, as the
> > DEFAULT statements in the latter have to be at a higher level (as
> > shown below), to make configurable failover work:
>
> Maybe we need sections for callbacks, where the callback code can
> package multiple modules together in a redundant section.
>
Wouldn't these callback sections need to be within/related-to the
corresponding higher level sections (authorize, authenticate, etc)?
NOTICE
This e-mail and any attachments are confidential and may contain copyright material of
Macquarie Bank or third parties. If you are not the intended recipient of this email
you should not read, print, re-transmit, store or act in reliance on this e-mail or
any attachments, and should destroy all copies of them. Macquarie Bank does not
guarantee the integrity of any emails or any attached files. The views or opinions
expressed are the author's own and may not reflect the views or opinions of Macquarie
Bank.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
