Re: Multiple LDAP (Not failover) lookup...

Eric Martell <workoutexcite@yahoo.com> · Thu, 9 Nov 2006 10:44:44 -0800 (PST)

Thanks Alan.
  I figured it out. It should be 
ldap2 {
   notfound = reject
}

as ldap2 is returning notfound status.

Thanks so much again.

--- Alan DeKok <aland@deployingradius.com> wrote:

> Eric Martell <workoutexcite@yahoo.com> wrote:
> > Thanks so much Neal. You got it 95% right. The
> problem
> > is FreeRadius always authorize first (no matter
> what
> > the order in radiusd.conf) and then authenticate.
> 
>   Yes, that's how the server works.
> 
> > (****This authorize should break the sequence and
> > return FAIL. I tried ldap2 { fail = return } but
> no
> > help...still returns notfound ****)
> 
>   See doc/configurable_failover.  You may want:
> 
> ...
>   ldap2 {
> 	fail = reject
>   }
> ...
> 
> > Technically it should authenticate and then
> authorize
> > and send the group response (AND) of both.
> 
>   Then... configure it to do that.  The default
> behavior is that a
> "notfound" error is NOT fatal, because another
> module or database may
> find the user.
> 
>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of
> the book
>   http://deployingradius.com/blog/ - The blog
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 

____________________________________________________________________________________
Cheap talk?
Check out Yahoo! Messenger's low PC-to-Phone call rates.
http://voice.yahoo.com