How to use different ldap-modules?

Florian Prester Florian.Prester at rrze.uni-erlangen.de
Mon Jun 20 14:59:46 CEST 2005


Hi

I configured 2 ldap modules, one using a clear-text password for 
PEAP-TLS with MS-CHAPv2 or only CHAP authentication,
and one retrieving a Crypt-Password for using PAP-Authentication.

radiusd.conf:
ldap ldap-PEAP {
                server = "ip"
                port = 400
                identity = 
"cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet Erlangen-Nuernberg,c=DE"
                password = xxxxxx
                basedn = "ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE"
                filter = "(Userid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                access_attr = "uid"
        #The mapping-file for PEAP: -> retrieves the cleartext-Password
                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 5
                password_attribute = "User-Password"
                timeout = 24
                timelimit = 23
                net_timeout = 1
                ldap_debug = 5
        }
   ldap ldap-PAP {
                server = "ip"
                port = 400
                identity = 
"cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet Erlangen-Nuernberg,c=DE"
                password = xxxx
                basedn = "ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE"
                filter = "(Userid=%{Stripped-User-Name:-%{User-Name}})"
                access_attr = "uid"
        #The mapping-file for PAP: -> retrieves the User-Password
                dictionary_mapping = ${raddbdir}/ldap.attrmap.pap

                ldap_connections_number = 5
                password_attribute = "User-Password"
                timeout = 24
                timelimit = 23
                net_timeout = 1
                ldap_debug = 5
        }

In the authorize-section I have added "group", as told in 
configurable_failover:
authorize {
 preprocess
 suffix
 chap
 mschap
group {
        ldap-PAP {  #first try ldap-PAP, only return if it succeeds
        notfound = 1
        noop = 2
        updated = 3
        fail = 4
        reject = 5
        userlock = 6
        invalid = 7
        handled = 8
        ok = return
        }
        ldap-PEAP{#then ldap-PEAP
        notfound = 1
        noop = 2
        updated = 3
        fail = 4
        reject = 5
        userlock = 6
        invalid = 7
        handled = 8
        ok = return
        }

        eap{ #then EAP
        notfound = 1
        noop = 2
        updated = 3
        fail = 4
        reject = 5
        userlock = 6
        invalid = 7
        handled = 8
        ok = return
        }
        files{#then files
         notfound = 1
        noop = 2
        updated = 3
        fail = 4
        reject = 5
        userlock = 6
        invalid = 7
        handled = 8
        ok = return

}
}

But it only takes the first entry, and if I switch the order of ldap-PAP 
and ldap-PEAP, so it should take ldap-PAP, therefore retrieve an 
Crypt-Password from the ldap-PAP-section it wants to use ldap for 
authentication!?!?!?



What do I wrong?

Thanks
in advance
Flo


-- 
--------------------------------------------------------------
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Germany

Tel.: +499131 8527813




More information about the Freeradius-Users mailing list