So, how can I configure radius to authenticate off ldap2 once ldap1 rejects the user because of a bad password. I want to radius to: Lookup in ldap1 : If rejected because of a bad password then do Lookup in ldap2 Basically I want radius to go through a sequence of lookup if ldap1 fails(ldap reject user password) then go to ldap2 for lookup.. --- Terry J Fike Jr <tfike@mtasolutions.com> wrote:
Message: 6 Date: Fri, 16 Jun 2006 09:44:29 -0700 (PDT) From: fvt3 <fvt3@yahoo.com> Subject: Re: Two Ldaps Authentication To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID:
<20060616164429.4187.qmail@web42106.mail.mud.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1
Alan,
This is what I have in my radius.conf
Autz-Type LDAP1{ ldap_ldap1{ invalid=return } ldap_ldap2 }
Auth-Type LDAP1 { redundant{ ldap_ldap1{ }
ldap_ldap2
} users file
DEFAULT Auth-Type = LDAP1 Fall-Through = No, Reply-Message = "ldap login"
I'm forcing radius to lookup user in ldap1(ldap) and ldap2(Active Directory). The same user name can reside on both db backend. With this setup, radius only works if the user name does not exist on both db. If user John is on both db, it would only authenticate off LDAP1 and not in LDAP2.
Here is my log
<snip>
correct...this is the way you have it configured. as long as ONE ldap server answers the request (whether it be an authentication allowed or rejected) it still answered. so it won't fail over to the next ldap server...
--- Alan DeKok
-- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 tfike@mtasolutions.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com