Hello! radiusd: FreeRADIUS Version 1.1.3, for host x86_64-redhat-linux-gnu, built on Apr 25 2007 at 09:04:23 I need to make an authorization of some RADIUS clients in LDAP by RADIUS. Clients need only to check passwords. I can check this in ONE LDAP server at a time without problems. It's work fine. But i need some different. I need to check user/password in TWO different LDAP server. If ANY of LDAPs tell "password is ok" RADIUS must accept this userid/passwd pair. Userlists in this two LDAP have some overlap. Most (but not all) of the users presents in BOTH of LDAP servers. Passwords between LDAP servers are different. With curent configuration i get this: if username aren't found in first LDAP lets proceed to the next if username aren't found in second LDAP lets DENY access if username is found in first LDAP and password is accepted by first LDAP lets ALLOW access. if username is found in first LDAP and password aren't accepted by first LDAP lets DENY access. RADIUS doesn't check password in the second LDAP server. I know why but i doesn't know how to change this behavior. this is how looks users: --- LDAP1: uid=userid,o=org1 LDAP2: uid=userid,o=org2 --- As you can see organization is different in this two LDAP servers. I check this with "radtest" utility. /etc/raddb/radiusd.conf ------------------ modules { ldap tam { server = "ldap1.ts" basedn = "o=org1" filter = "(uid=%{User-Name})" authtype = tam start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = no do_xlat = no access_attr_used_for_allow = no set_auth_type = yes } ldap lotus { server = "ldap2.ts" basedn = "o=org2" filter = "(uid=%{User-Name})" authtype = lotus start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = no do_xlat = no access_attr_used_for_allow = no set_auth_type = yes } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 #suppress { # User-Password #} } } authorize { group ldap { tam { notfound = 1 noop= 2 fail = 3 reject = 4 ok = return } lotus { notfound = 1 noop= 2 fail = 3 reject = 4 ok = return } handled } } authenticate { Auth-Type tam { tam { notfound = 1 noop= 2 fail = 3 reject = 4 ok = return } handled } Auth-Type lotus { lotus { notfound = 1 noop= 2 fail = 3 reject = 4 ok = return } handled } } -------------------------- logfiles: user exist in LDAP1 and password is good in LDAP1 --- rad_recv: Access-Request packet from host 192.168.110.3:49867, id=21, length=64 User-Name = "vmendelevich" User-Password = "11111111" NAS-IP-Address = 192.168.110.3 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall: entering group ldap for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for vmendelevich radius_xlat: '(uid=vmendelevich)' radius_xlat: 'o=org1' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.ts:389, authentication 0 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as / to ldap1.kmz.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=org1, with filter (uid=vmendelevich) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = tam rlm_ldap: user vmendelevich authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "tam" returns ok for request 0 modcall: leaving group ldap (returns ok) for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type tam auth: type "tam" Processing the authenticate section of radiusd.conf modcall: entering group tam for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "vmendelevich" with password "11111111" rlm_ldap: user DN: uid=vmendelevich,o=org1 rlm_ldap: (re)connect to ldap1.ts:389, authentication 1 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as uid=vmendelevich,o=org1/11111111 to ldap1.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user vmendelevich authenticated succesfully modcall[authenticate]: module "tam" returns ok for request 0 modcall: leaving group tam (returns ok) for request 0 Login OK: [vmendelevich] (from client VMendelevich port 10) Sending Access-Accept of id 21 to 192.168.110.3 port 49867 Finished request 0 Going to the next request ---- user doesn't exist in LDAP1, but exist in LDAP2 and password is good in LDAP2 --- rad_recv: Access-Request packet from host 192.168.110.3:44439, id=108, length=57 User-Name = "aldap" User-Password = "22222222" NAS-IP-Address = 192.168.110.3 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall: entering group ldap for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for aldap radius_xlat: '(uid=aldap)' radius_xlat: 'o=tamknown' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=org1, with filter (uid=aldap) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "tam" returns notfound for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for aldap radius_xlat: '(uid=aldap)' radius_xlat: 'o=org2' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap2.ts:389, authentication 0 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as cn=admin ldap,o=org2/22222222 to ldap2.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=org2, with filter (uid=aldap) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = lotus rlm_ldap: user aldap authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "lotus" returns ok for request 1 modcall: leaving group ldap (returns ok) for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type lotus auth: type "lotus" Processing the authenticate section of radiusd.conf modcall: entering group lotus for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "aldap" with password "22222222" rlm_ldap: user DN: CN=Admin LDAP,O=org2 rlm_ldap: (re)connect to ldap2.ts:389, authentication 1 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as CN=Admin LDAP,O=org2/22222222 to ldap2.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user aldap authenticated succesfully modcall[authenticate]: module "lotus" returns ok for request 1 modcall: leaving group lotus (returns ok) for request 1 Login OK: [aldap] (from client VMendelevich port 10) Sending Access-Accept of id 108 to 192.168.110.3 port 44439 Finished request 1 Going to the next request --- username exist in BOTH LDAP but password can be accepted only by LDAP2 --- rad_recv: Access-Request packet from host 192.168.110.3:55540, id=92, length=64 User-Name = "vmendelevich" User-Password = "33333333" NAS-IP-Address = 192.168.110.3 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall: entering group ldap for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for vmendelevich radius_xlat: '(uid=vmendelevich)' radius_xlat: 'o=org1' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=org1, with filter (uid=vmendelevich) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = tam rlm_ldap: user vmendelevich authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "tam" returns ok for request 2 modcall: leaving group ldap (returns ok) for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type tam auth: type "tam" Processing the authenticate section of radiusd.conf modcall: entering group tam for request 2 rlm_ldap: - authenticate rlm_ldap: login attempt by "vmendelevich" with password "33333333" rlm_ldap: user DN: uid=vmendelevich,o=org1 rlm_ldap: (re)connect to ldap1.ts:389, authentication 1 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as uid=vmendelevich,o=org1/33333333 to ldap1.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module "tam" returns reject for request 2 modcall[authenticate]: module "handled" returns handled for request 2 modcall: leaving group tam (returns handled) for request 2 There was no response configured: rejecting request 2 Server rejecting request 2. Finished request 2 Going to the next request --- As i see i need to make something like "group" in authentication section. But i don't see how. Please advice. Thank you. UIN:9244669 Phone:+7(495)727-0982 ext.4162