How do you have this setup? Check out doc/configurable_failover. That should show you how to do it.
I'm using configurable failover to get it to roll as it is.
From my radiusd.conf file:
Authorize{ ldap1{ reject=1 } ldap2{ reject=1 ok=return } } Authenticate{ Auth-Type LDAP { ldap1{ reject=1 ok=return } ldap2{ reject=1 ok=return } } } The output I see when I try to authenticate with an openldap username/password where the username is also in AD rad_recv: Access-Request packet from host 130.74.186.38:17688, id=1, length=46 User-Name = "username" User-Password = "test123" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: '(sAMAccountName=username)' radius_xlat: 'cn=Users,dc=dept,dc=university,dc=edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ad.dept.university.edu:389, authentication 0 rlm_ldap: bind as cn=aduser,cn=Users,dc=dept,dc=university,dc=edu/adpassword to ad.dept.university.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in cn=Users,dc=dept,dc=university,dc=edu, with filter (sAMAccountName=username) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user username authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap1" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: '(uid=username)' radius_xlat: 'dc=university,dc=edu,c=US' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to openldap.university.edu:1744, authentication 0 rlm_ldap: bind as uid=ldapuser,ou=Special Users,dc=university,dc=edu,c=US/ldappassword to openldap.university.edu:1744 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=university,dc=edu,c=US, with filter (uid=username) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user username authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap2" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "username" with password "test123" rlm_ldap: user DN: CN=name\, user,CN=Users,DC=dept,DC=university,DC=edu rlm_ldap: (re)connect to ad.dept.university.edu:389, authentication 1 rlm_ldap: bind as CN=name\, user,CN=Users,DC=dept,DC=university,DC=edu/test123 to ad.dept.university.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module "ldap1" returns reject for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "username" with password "test123" rlm_ldap: user DN: CN=name\, user,CN=Users,DC=dept,DC=university,DC=edu rlm_ldap: (re)connect to openldap.university.edu:1744, authentication 1 (THIS LINE IS THE PROBLEM) rlm_ldap: bind as CN=name\, user,CN=Users,DC=dept,DC=university,DC=edu/test123 to openldap.university.edu:1744 rlm_ldap: waiting for bind result ... rlm_ldap: CN=name\, user,CN=Users,DC=dept,DC=university,DC=edu bind to openldap.university.edu:1744 failed No such object rlm_ldap: ldap_connect() failed modcall[authenticate]: module "ldap2" returns fail for request 0 modcall: group Auth-Type returns fail for request 0 auth: Failed to validate the user. The above problem line should be: rlm_ldap: bind as uid=username, ou=People, dc=university,dc=edu,c=us/test123 to openldap.university.edu:1744 However, it is taking the userdn from the ad server which gave the first authorize ok. What I need is for it to attempt to authenticate with the appropriate userdn depending on which server it is authenticating to. So it would use the userdn from AD authenticating to the AD server and the openldap userdn when authenticating to the openldap server. Thanks