multiple ldap servers::solved::

jeff donovan jdonovan at beth.k12.pa.us
Sun May 6 21:31:27 CEST 2012 

On May 5, 2012, at 5:09 AM, Alan DeKok wrote:

> jeff donovan wrote:
>> I made two changes. and it worked.,.. not sure if it the best syntax, but it's the first time I got both systems to call back.
>> 
>> authorize {
>> 
>> 	ldap1
>> 	if (notfound) {
>>   		ldap2 
>>   	}
> 
>  This is OK.
> 
>>   	if (reject) {
>>   		ldap2
>>   	}
> 
>  This doesn't do anything.  If ldap1 rejects the user (which it won't
> in the "authorize" section), then it will *immediately* return reject.
> i.e. the "if reject" line won't be reached.

you are correct. An authorize section would not return reject. i removed it and things work fine.

> 
> 
>> authenticate {
>> 
>> 	Auth-Type LDAP {
>> 		ldap1{
>> 		reject = 1
>> 		ok = return
>> 		}
>> 		ldap2 {
>> 		reject = 1
>> 		ok = return
>> 		}
>> 	}
> 
>  This is wrong, too.  You've forced "Auth-Type := LDAP" somewhere in
> your config.

the config Im using is stock ubuntu,..which has a few default includes. radiusd.conf specifies;
	$INCLUDE ${confdir}/modules/
i have a file in modules called ldap. Located in this file are two ldap servers entries.
#
ldap ldap1 {

	server = "ldap1.example.com"
	basedn = "cn=users,dc=ldap1,dc=example.com"
	filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
	ldap_connections_number = 5
	timeout = 4
	timelimit = 3
	net_timeout = 1
	tls {
		start_tls = no
		}
	dictionary_mapping = ${confdir}/ldap.attrmap
	#
	edir_account_policy_check = no
	#ldap_debug = 0x0028 
}
ldap ldap2 {

	server = "ldap2.example.com"
	basedn = "cn=users,dc=ldap2,dc=example.com"
	filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
	ldap_connections_number = 5
	timeout = 4
	timelimit = 3
	net_timeout = 1
	tls {
		start_tls = no
		}
	dictionary_mapping = ${confdir}/ldap.attrmap
	#
	edir_account_policy_check = no
	#ldap_debug = 0x0028 
}
}
>  You could instead use "set_auth_type" in the modules/ldap
> configuration.  It's recommended to *not* use it, but it's fine here.
> 
>  Then, just do:
> 
> authenticate {
> 	...
> 	ldap1
> 	ldap2
> 	...
> }

--- oof okay.

authenticate {

	Auth-Type PAP {
		pap
	}

	Auth-Type CHAP {
		chap
	}
	
	Auth-Type MS-CHAP {
		mschap
	}

	digest
#	pam
	unix
	ldap1
	ldap2
	eap
}

Yes Totally works.!
my bad i thought I had to set the AUTH type. similar to some of the other configs.


> 
>  If the "ldap1" module finds the user, it sets Auth-Type = "ldap1".
> And the same for ldap2.
> 
>  This means that there are fewer queries to ldap1 in the "authenticate"
> phase.  That's nice.
im into that. thanks for the help. hopefully my stumbles will aid someone in the future.
-j
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2497 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120506/2a9b0ef3/attachment.bin>

More information about the Freeradius-Users mailing list