Alan, This is what I have in my radius.conf Autz-Type LDAP1{ ldap_ldap1{ invalid=return } ldap_ldap2 } Auth-Type LDAP1 { redundant{ ldap_ldap1{ } ldap_ldap2 } users file DEFAULT Auth-Type = LDAP1 Fall-Through = No, Reply-Message = "ldap login" I'm forcing radius to lookup user in ldap1(ldap) and ldap2(Active Directory). The same user name can reside on both db backend. With this setup, radius only works if the user name does not exist on both db. If user John is on both db, it would only authenticate off LDAP1 and not in LDAP2. Here is my log rlm_ldap: performing xer authorization for user radix_xlat: '(uid=user)' radix_xlat: 'dc=x,dc=x,dc=x,dc=x' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=x,dc=x,dc=x,dc=x, with filter (uid=user) rlm_ldap: performing search in uid=user,ou=x,dc=x,dc=x,dc=x,dc=x, with filter (objectclass=radixprofile) rlm_ldap: object not found or got ambiguox search result rlm_ldap: default_profile/xer-profile search failed rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: xer user authorized to xe remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_ldap1" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing xer authorization for user radix_xlat: '(SamAccountName=user)' radix_xlat: 'cn=xers,dc=xsd,dc=test' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to x.x.x.x:389, authentication 0 rlm_ldap: bind as cn=svcauth,cn=xers,dc=xsd,dc=test/wireless to x.x.x.x:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in cn=xers,dc=xsd,dc=test, with filter (SamAccountName=user) rlm_ldap: performing search in uid=user,ou=people,dc=x,dc=x,dc=x,dc=x, with filter (objectclass=radixprofile) rlm_ldap: ldap_search() failed: Referral rlm_ldap: default_profile/xer-profile search failed rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: xer user authorized to xe remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_ldap2" returns ok for request 1 modcall: leaving group LDAP1 (returns ok) for request 1 rad_check_xssword: Found Auth-Type LDAP1 auth: type "LDAP1" Processing the authenticate section of radixd.conf modcall: entering group LDAP1 for request 1 modcall: entering group redundant for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "user" with xssword "xssword" rlm_ldap: xer DN: uid=user,ou=people,dc=x,dc=x,dc=x,dc=x rlm_ldap: (re)connect to x.x.x.x:389, authentication 1 rlm_ldap: bind as uid=user,ou=x,dc=x,dc=x,dc=x,dc=x/xssword to x.x.x.x:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module "ldap_ldap1" returns reject for request 1 modcall: leaving group redundant (returns reject) for request 1 modcall: leaving group LDAP1 (returns reject) for request 1 auth: Failed to validate the xer. Login incorrect (rlm_ldap: Bind as xer failed): [user] (from client localhost port 1812) Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Alan DeKok <aland@nitros9.org> wrote:
fvt3 <fvt3@yahoo.com> wrote:
Hi, I am trying to setup Freedius to have multiple ldap authentication. I want to authenticate off ldap1, then ldap2 then mysql.
No, you don't. For one, MySQL doesn't do authentication. Neither does LDAP, really.
What you probably mean is that you want to look the user up in ldap1, or ldap2, or mysql.
In the users file I have: DEFAULT Autz-Type := "LDAP1", Auth-Type = "LDAP1" Fall-Through = Yes, Reply-Message = "ldap"
DEFAULT Autz-Type := "LDAP2", Auth-Type = "LDAP2"
Read "man users". The second entry is over-writing the first one. So the first one is useless.
With this setup, radius is skipping ldap1 and go directly to ldap2. How can I force it to read ldap1 then ldap2 in the user file.
You don't. The "users" file isn't meant to do that.
If you want to look users up in ldap1, then ldap2 if they're not in ldap1, see doc/configurable_failover.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com