On Mar 4, 2022, at 1:15 AM, Rahman Duran <rahman.duran@erzurum.edu.tr> wrote:
So at least you know what I try to do. How can I achieve this then? I want to use multiple authentication sources, they can be users text file, sql or ldap, and there can be multiple of the same kind, multiple sql, multiple files, multiple ldap. User-Name should be searched in them sequentially and if the user is not found in any of them (noop for files, notfound for sql and ldap), I set the module failure message and reject the request here.
That is completely the wrong approach. It's a very bad idea to try many different things, and then pick the one which succeeds. Instead, you should figure out where the users' data is located, and then use that. i.e. qualify the user names with different domains "user@example.com" versus "user@example.org". This is a practice going back 20+ years. Where you can't do that, find some other method to distinguish users. i.e. users coming from NAS1 are for ISP1 and database1, while users coming from NAS2 are for ISP2 and database2. Or maybe look at MAC addresses, and associate user accounts with MAC addresses. So that when a user logs in, the combination of "user + MAC" is unique. The absolute worst thing you can do is to randomly try a bunch of databases, hoping that perhaps one will succeed. But since you didn't post the *full* debug output (which contains name, MAC, etc.), I can't offer any more specific advice.
The problem is testing for "ok", "noop", "notfound" etc with a following unlang if condition is not working as expected everywhere.
It works as *documented*. If your expectations are different from how it works, then read the documentation and debug mode to see how it really works.
So I am using "group" statements as I need to be sure I am checking the correct module return value.
"group" doesn't change the return codes. So it don't do what you think it does. If you must use multiple databases, you can't use "redundant". The "redundant" keyword is for when one database *fails*. i.e. it's *down*. The "redundant" keyword isn't really good for trying multiple authentication types. You need to go back and understand the requirements. You can't simply poke at the FreeRADIUS configuration until it works. You have to understand what you're trying to do. And once you understand that, the solution is usually simple. From the limited debug output you posted, it looks like users do have domain names associated with them. So why not use that? if domain 1 use ldap1 else if domain 2 use ldap2 Why would it be any more complex than that? Alan DeKok.