Thanks so much Neal. You got it 95% right. The problem is FreeRadius always authorize first (no matter what the order in radiusd.conf) and then authenticate. authorize { . . . ldap2 } authenticate { . . . ldap1 } So if the user fails in ldap2 ..module "ldap2" returns notfound for request user xyz and thus continues to authentication module. (****This authorize should break the sequence and return FAIL. I tried ldap2 { fail = return } but no help...still returns notfound ****) And same user in "ldap1" returns ok for request user xyz in authentication. Finally FreeRadius returns "Sending Access-Accept" (Status of ldap1 auth) to the request. Technically it should authenticate and then authorize and send the group response (AND) of both. Please let me know. Thanks in advance. --- "Garber, Neal" <Neal.Garber@energyeast.com> wrote:
If(authentication in ldap1 success) {
Use ldap1 in the authenticate stage of radiusd.conf
if(productCode attribute exists in ldap2 success) {
Use ldap2 in the authorize stage of radiusd.conf
Authorize is performed first in FreeRadius (you show authenticate First), but it shouldn't matter for what you're trying to do. Configure ldap.attrmap to obtain the productCode attribute.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
____________________________________________________________________________________ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail. http://new.mail.yahoo.com