ldap ldap1 { .. } ldap ldap2 { .. } Ivan Kalik Kalik Informatika ISP Dana 1/7/2008, "Sambuddho Chakravarty" <sc2516@columbia.edu> piše:
Hello But this never really worked. I did exactly this . The ldap1 and ldap2 are files with the follwoing
/etc/raddb/modules/ldap1----------------------------------------------------------------
ldap { server = "30.0.0.2" basedn = "ou=People,cu=example,c=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" port = 389 ldap_connections_number = 5
timeout = 40
timelimit = 30 net_timeout = 10 tls { start_tls = no
require_cert = "demand" }
dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no }
/etc/raddb/modules/ldap2---------------------------------------
ldap { server = "10.0.0.1" basedn = "ou=People,cu=example,c=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" port = 389 ldap_connections_number = 5
timeout = 40
timelimit = 30 net_timeout = 10 tls { start_tls = no
require_cert = "demand" }
dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no }
----------------------------------------------------------------------------------
The only difference in both files is the LDAP server IP address . When I did as I mentioned in my previous email and executed /sbin/radiusd -X -C the execution ended with the following error
Module: Checking authenticate {...} for more modules to load //etc/raddb/radiusd.conf[757]: Failed to find module "ldap1". //etc/raddb/radiusd.conf[756]: Errors parsing authenticate section. }
Also , one more observation, when having a single LDAP server and when it actually worked fine, the debug messages showed
found rlm_pap. While I think it should be showing rlm_ldap . Why is this so. But authentication worked fine and the client received a ACCESS-ACCEPT message as reply.
Thanks Sambuddho
On Thu, 2008-06-19 at 13:50 -0400, Sambuddho Chakravarty wrote:
Do you mean something like this
authorize { redundant { ldap1 ldap2 } }
authenticate { ldap1 ldap2 }
The reason I list them here is to use them for authentication against multiple LDAP servers whose configuration information is in the two files modules/ldap1 and modules/ldap2. Does this look valid ?
Thanks Sambuddho
On Thu, 2008-06-19 at 09:35 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote:
Yes , but on a freeradius-2.05 , when I create a separate authenticate {} and authorize {} subsection and plug in the following :
authorize { Autz-Type LDAP {
You don't need to use Autz-Type in 2.0.
authenticate { Auth-Type LDAP{ redundant{
Don't use redundant sections here. Just list the two LDAP modules independently. The LDAP server that was used in the authorize section will ensure that it is also used in the authenticate section.
${confdir}/modules/ldap1
And I hope that's not what I think it is.
It doesn't work.
See the FAQ for "it doesn't work".
Here the ldap1 and ldap2 are two separate files in the /etc/raddb/modules directory and have separate ldap server IP addresses. Can anyone please point out to me where I am going wrong ?
Lots. The major one is that you are putting the module *configuration* into the authorize and authenticate sections. I have no idea why you think that's a good idea. The examples included in the server DO NOT DO THIS.
The files in the "modules" directory belong in the "modules" section of radiusd.conf. This is documented in the comments, and in many examples.
The entries in the "authorize" and "authenticate" sections are simply a one-word reference to the name of a module. Again, this is documented in the comments and in many examples.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html