With curent configuration i get this:
if username aren't found in first LDAP lets proceed to the next if username aren't found in second LDAP lets DENY access
You probably don't need that after upgrade. Just force Auth-Type LDAP in users file.
As i doesn't have any other auth rather LDAP it is done automatically. I hope so. ;-)
Enable files (and comment out ldap entries) and put: DEFAULT Auth-Type := tam at the top of the users file. That's much cheaper way.
Create failover inside Auth-Type LDAP:
Auth-Type LDAP { tam { reject = 2 } if(reject) { lotus } }
I have realised something like this in my long road to success. Unfortunately there an issue.
LDAP1: uid=username,o=org1 LDAP2: uid=username,o=org2
As you can see "o=org..." is different.
You can see when radius try to authenticate on the second LDAP (ldap2.ts) it hasn't changed o=org1 to o=org2. This is a problem. we cannot modify any scheme of those two LDAP servers.
Check base_dn. You say it is different but server debug would disagree. Ivan Kalik