It appears that the LDAP module in 2.0.3 is not setting the Ldap-UserDn in a way that is available for further analysis. The problem shows up when using "edir_account_policy_check = yes" and also when evaluating Ldap-UserDn with unlang or from other modules as described below in my previous post.
Does anyone have insight into this problem? Jason > I'm testing upgrading from 1.1.7 to 2.0.3 and have run into a problem with > the LDAP module. The problem appears in 2 places. First, I'm using the > --with-edir option so I have > > password_attribute = nspmPassword > > and > > edir_account_policy_check = yes > > set. However, in 2.0.3, when I set "edir_account_policy_check = yes", I > get this error: > > +- entering group post-auth > rlm_ldap: User's FQDN not in config items list. > ++[ldap] returns fail > PEAP: Tunneled authentication was rejected. > rlm_eap_peap: FAILURE > > If I don't set edir_account_policy_check, then authentication is > successful, but the second problem shows up. A little background: > > In 1.1.7 I'm setting VLANs via the 'users' file like this: > > DEFAULT Ldap-UserDn =~ "ou=is,ou=n,o=emu" > Tunnel-Type = "VLAN", > Tunnel-Medium-Type = "IEEE-802", > Tunnel-Private-Group-Id = 3 > > and I've tried this in 2.0.3, but I've also tried unlang > > if (Ldap-UserDn =~ /ou=is,ou=n,o=emu/i) { > update reply { > Tunnel-Type := "VLAN" > Tunnel-Medium-Type := "IEEE-802" > Tunnel-Private-Group-Id := 3 > } > } > > Neither of these work in 2.0.3. The VLAN does not get set. Files returns > noop, and unlang shows in debug output > > ++? if (Ldap-UserDn =~ /ou=is,ou=n,o=emu/i) > (Attribute Ldap-UserDn was not found) > > > I did some digging and I think I know why this is. In rlm_ldap.c > beginning at line 1306 is > > /* > * Adding new attribute containing DN for LDAP object associated with > * given username > */ > pairadd(check_pairs, pairmake("Ldap-UserDn", user_dn, T_OP_EQ)); > > However, in 1.1.7 the code is > > pairadd(&request->packet->vps, pairmake("Ldap-UserDn", user_dn, T_OP_EQ)); > > If I add this line to 2.0.3 just after the existing pairadd line and > recompile, then everything just works -- edir policy check works and I can > set VLANs using files module or unlang. > > Is this a bug in 2.0.3 or am I missing something in my new config file > that would make the Ldap-UserDn available? > > Jason > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html