multiple ldap instances, which instance is used for searching?
Hi.
I had to create 3 instances for the ldap module. One is the default
ldap {
}
and then I got two named
ldap ldap-eduroam {
}
ldap ldap-netdefault {
}
I'm using the two named for doing attribute pulling in post-proxy.
Now my setup stopped working because suddenly ldap-eduroam was checking for
groups when matching Ldap-Group. I was under the impression that when not
specificed with ldap-eduroam-Ldap-Group the default ldap entry would be used.
I had to instantiate the ldap modules in a special order
instantiate {
ldap-eduroam
ldap-netdefault
ldap
}
so the ldap instance would take over again. Is this an expected behaviour?
Will this solution hold or should I name the ldap instance as well and use
the name-Ldap-Group everywhere?
thanks
mk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap instances, which instance is used for searching?
On 03/07/13 17:34, Martin Kraus wrote:
Now my setup stopped working because suddenly ldap-eduroam was checking for
groups when matching Ldap-Group. I was under the impression that when not
specificed with ldap-eduroam-Ldap-Group the default ldap entry would be used.
No. Most recently instantiated, which can be essentially random.
Basically, don't do this; if you have 1 ldap instance, don't use
Ldap-Group, always use instance-Ldap-Group
I had to instantiate the ldap modules in a special order
instantiate {
ldap-eduroam
ldap-netdefault
ldap
}
so the ldap instance would take over again. Is this an expected behaviour?
Yes
Will this solution hold or should I name the ldap instance as well and use
the name-Ldap-Group everywhere?
Yes
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap instances, which instance is used for searching?
On 3 Jul 2013, at 17:34, Martin Kraus lists...@wujiman.net wrote:
Hi.
I had to create 3 instances for the ldap module. One is the default
ldap {
}
and then I got two named
ldap ldap-eduroam {
}
ldap ldap-netdefault {
}
That right there:
https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_ldap/rlm_ldap.c#L511
Would be a bug.
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap instances, which instance is used for searching?
On 3 Jul 2013, at 17:47, Phil Mayers p.may...@imperial.ac.uk wrote: On 03/07/13 17:34, Martin Kraus wrote: Now my setup stopped working because suddenly ldap-eduroam was checking for groups when matching Ldap-Group. I was under the impression that when not specificed with ldap-eduroam-Ldap-Group the default ldap entry would be used. No. Most recently instantiated, which can be essentially random. Basically, don't do this; if you have 1 ldap instance, don't use Ldap-Group, always use instance-Ldap-Group Yeah, that's awful behaviour. I've fixed it for 3.0.0, I guess if people are using it, probably not a good idea to change it for 2.x.x. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
