I'm testing upgrading from 1.1.7 to 2.0.3 and have run into a problem with the LDAP module. The problem appears in 2 places. First, I'm using the --with-edir option so I have
password_attribute = nspmPassword and edir_account_policy_check = yes set. However, in 2.0.3, when I set "edir_account_policy_check = yes", I get this error: +- entering group post-auth rlm_ldap: User's FQDN not in config items list. ++[ldap] returns fail PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE If I don't set edir_account_policy_check, then authentication is successful, but the second problem shows up. A little background: In 1.1.7 I'm setting VLANs via the 'users' file like this: DEFAULT Ldap-UserDn =~ "ou=is,ou=n,o=emu" Tunnel-Type = "VLAN", Tunnel-Medium-Type = "IEEE-802", Tunnel-Private-Group-Id = 3 and I've tried this in 2.0.3, but I've also tried unlang if (Ldap-UserDn =~ /ou=is,ou=n,o=emu/i) { update reply { Tunnel-Type := "VLAN" Tunnel-Medium-Type := "IEEE-802" Tunnel-Private-Group-Id := 3 } } Neither of these work in 2.0.3. The VLAN does not get set. Files returns noop, and unlang shows in debug output ++? if (Ldap-UserDn =~ /ou=is,ou=n,o=emu/i) (Attribute Ldap-UserDn was not found) I did some digging and I think I know why this is. In rlm_ldap.c beginning at line 1306 is /* * Adding new attribute containing DN for LDAP object associated with * given username */ pairadd(check_pairs, pairmake("Ldap-UserDn", user_dn, T_OP_EQ)); However, in 1.1.7 the code is pairadd(&request->packet->vps, pairmake("Ldap-UserDn", user_dn, T_OP_EQ)); If I add this line to 2.0.3 just after the existing pairadd line and recompile, then everything just works -- edir policy check works and I can set VLANs using files module or unlang. Is this a bug in 2.0.3 or am I missing something in my new config file that would make the Ldap-UserDn available? Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html