On May 5, 2012, at 5:09 AM, Alan DeKok wrote:
jeff donovan wrote:
I made two changes. and it worked.,.. not sure if it the best syntax, but it's the first time I got both systems to call back.
authorize {
ldap1 if (notfound) { ldap2 }
This is OK.
if (reject) { ldap2 }
This doesn't do anything. If ldap1 rejects the user (which it won't in the "authorize" section), then it will *immediately* return reject. i.e. the "if reject" line won't be reached.
you are correct. An authorize section would not return reject. i removed it and things work fine.
authenticate {
Auth-Type LDAP { ldap1{ reject = 1 ok = return } ldap2 { reject = 1 ok = return } }
This is wrong, too. You've forced "Auth-Type := LDAP" somewhere in your config.
the config Im using is stock ubuntu,..which has a few default includes. radiusd.conf specifies; $INCLUDE ${confdir}/modules/ i have a file in modules called ldap. Located in this file are two ldap servers entries. # ldap ldap1 { server = "ldap1.example.com" basedn = "cn=users,dc=ldap1,dc=example.com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap # edir_account_policy_check = no #ldap_debug = 0x0028 } ldap ldap2 { server = "ldap2.example.com" basedn = "cn=users,dc=ldap2,dc=example.com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap # edir_account_policy_check = no #ldap_debug = 0x0028 } }
You could instead use "set_auth_type" in the modules/ldap configuration. It's recommended to *not* use it, but it's fine here.
Then, just do:
authenticate { ... ldap1 ldap2 ... }
--- oof okay. authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest # pam unix ldap1 ldap2 eap } Yes Totally works.! my bad i thought I had to set the AUTH type. similar to some of the other configs.
If the "ldap1" module finds the user, it sets Auth-Type = "ldap1". And the same for ldap2.
This means that there are fewer queries to ldap1 in the "authenticate" phase. That's nice.
im into that. thanks for the help. hopefully my stumbles will aid someone in the future. -j