On Fri, Mar 09, 2012 at 10:59:46AM -0500, up@3.am wrote:
authorize {
preprocess redundant LDAP{ ldap1 ldap2 }
# The ldap module will set Auth-Type to LDAP if it has not # already been set # ldap
authenticate {
#Auth-Type LDAP { redundant LDAP{ ldap1 ldap2
}
I think that's (very) wrong. I would need to check this, but I *think* you want something like this: authorize { ... redundant { ldap1 ldap2 } ... } authenticate { Auth-Type ldap1 { ldap1 } Auth-Type ldap2 { ldap2 } } ..and: ldap ldap1 { ... set_auth_type = yes } ldap ldap2 { ... set_auth_type = yes } Did you read a doc telling you to do it the way you did? Using "ldap" in the authenticate section is a bit tricky, and you'd be wise to avoid it if you can - if the LDAP server will "give" you the password (plaintext or crypted) you're better of doing that in "authorize" and letting FreeRADIUS perform the auth using rlm_pap or whatever. Very briefly, here's how it works: IF "set_auth_type = yes" on the module AND there is an "Auth-Type modname" in the "authenticate" section AND Auth-Type is not already set AND the request is PAP i.e. has User-Password AND the ldap module did NOT put a password hash into the control items THEN the ldap module will set Auth-Type==modname and authentication will come "back to itself" in authenticate {} The reasons it works that way are complex, and in an ideal world the ldap module would be a lot simpler, but it's got a lot of backwards compatibility code in it, and LDAP and RADIUS have a pretty bad impedance mistmatch when used this way (LDAP as an oracle).