multiple ldap servers

jeff donovan jdonovan at beth.k12.pa.us
Fri May 4 21:05:36 CEST 2012


On May 4, 2012, at 10:14 AM, Alan DeKok wrote:

> snip
>> authorize {
> ...
>>    redundant {
>> ldap1
>> ldap2
>>    }
> 
>  Change that to:
> 
> 	ldap1
> 	if (notfound) {
> 		ldap2
> 	}
> 
>  And it will work.

greetings i read the unlang pages.

I modified my Authorize section, and you are correct, the user is found on ldap1 or checks the next server.

Now it seems to be sticking on the first reject in the Authenticate section.

here is what I have;

authenticate {

	Auth-Type LDAP {
		ldap1
		if (reject) {
		ldap2
		}
	}
I have also tried
Auth-Type LDAP {
		ldap1
		ldap2
		}


in this case if the credentials do not exist on ldap1 everything stops. 

here is my debug;

[ldap1] performing user authorization for drfoo
[ldap1] 	expand: %{Stripped-User-Name} -> 
[ldap1] 	... expanding second conditional
[ldap1] 	expand: %{User-Name} -> drfoo
[ldap1] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=drfoo)
[ldap1] 	expand: cn=users,dc=ldap1,dc=example.com -> cn=users,dc=ldap1,dc=example.com
  [ldap1] ldap_get_conn: Checking Id: 0
  [ldap1] ldap_get_conn: Got Id: 0
  [ldap1] performing search in cn=users,dc=ldap1,dc=example.com, with filter (uid=drfoo)
  [ldap1] object not found
[ldap1] search failed
  [ldap1] ldap_release_conn: Release Id: 0
++[ldap1] returns notfound
++? if (notfound)
? Evaluating (notfound) -> TRUE
++? if (notfound) -> TRUE
++- entering if (notfound) {...}
[ldap2] performing user authorization for drfoo
[ldap2] 	expand: %{Stripped-User-Name} -> 
[ldap2] 	... expanding second conditional
[ldap2] 	expand: %{User-Name} -> drfoo
[ldap2] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=drfoo)
[ldap2] 	expand: cn=users,dc=ldap2,dc=example.com -> cn=users,dc=ldap2,dc=example.com
  [ldap2] ldap_get_conn: Checking Id: 0
  [ldap2] ldap_get_conn: Got Id: 0
  [ldap2] performing search in cn=users,dc=ldap2,dc=example.com, with filter (uid=drfoo)
[ldap2] No default NMAS login sequence
[ldap2] looking for check items in directory...
  [ldap2] userPassword -> Password-With-Header == "********"
[ldap2] looking for reply items in directory...
[ldap2] Setting Auth-Type = LDAP
[ldap2] user drfoo authorized to use remote access
  [ldap2] ldap_release_conn: Release Id: 0
+++[ldap2] returns ok
++- if (notfound) returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Failed to decode Password-With-Header = "********"
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
[ldap1] login attempt by "drfoo" with password "XxXxXxX"
[ldap1] user DN: uid=drfoo,cn=users,dc=ldap2,dc=example.com
  [ldap1] (re)connect to ldap1.example.com:389, authentication 1
  [ldap1] bind as uid=drfoo,cn=users,dc=ldap2,dc=example.com/XxXxXxX to ldap1.example.com:389
  [ldap1] waiting for bind result ...
  [ldap1] Bind failed with invalid credentials
++[ldap1] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2497 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120504/f11e2e3d/attachment.bin>


More information about the Freeradius-Users mailing list