Hi I'm trying to configure radiusd.conf Module section to look at more than one module config. Can get one to work but when I add a second it dosen't work. below is a copy of my radiusd.conf file. modules { # # Each module has a configuration as follows: # # name [ instance ] { # config_item = value # ... # } # ldap ldap1 { server = "gmcnhs1.glasgowmet.ac.uk" port = 636 ... } ldap ldap 2 { server = "gmcnhs1.glasgowmet.ac.uk" port = 636 ... } # The 'name' is used to load the 'rlm_name' library # which implements the functionality of the module. # # The 'instance' is optional. To have two different instances # of a module, it first must be referred to by 'name'. # The different copies of the module are then created by # inventing two 'instance' names, e.g. 'instance1' and 'instance2' # # The instance names can then be used in later configuration # INSTEAD of the original 'name'. See the 'radutmp' configuration # below for an example. # # PAP module to authenticate users based on their stored password # # Supports multiple encryption schemes # clear: Clear text # crypt: Unix crypt # md5: MD5 ecnryption # sha1: SHA1 encryption. # DEFAULT: crypt pap { encryption_scheme = crypt } # CHAP module # # To authenticate requests containing a CHAP-Password attribute. # chap { authtype = CHAP } # Pluggable Authentication Modules # # For Linux, see: # http://www.kernel.org/pub/linux/libs/pam/index.html # # WARNING: On many systems, the system PAM libraries have # memory leaks! We STRONGLY SUGGEST that you do not # use PAM for authentication, due to those memory leaks. # pam { # # The name to use for PAM authentication. # PAM looks in /etc/pam.d/${pam_auth_name} # for it's configuration. See 'redhat/radiusd-pam' # for a sample PAM configuration file. # # Note that any Pam-Auth attribute set in the 'authorize' # section will over-ride this one. # pam_auth = radiusd } # Unix /etc/passwd style authentication # unix { # # Cache /etc/passwd, /etc/shadow, and /etc/group # # The default is to NOT cache them. # # For FreeBSD and NetBSD, you do NOT want to enable # the cache, as it's password lookups are done via a # database, so set this value to 'no'. # # Some systems (e.g. RedHat Linux with pam_pwbd) can # take *seconds* to check a password, when th passwd # file containing 1000's of entries. For those systems, # you should set the cache value to 'yes', and set # the locations of the 'passwd', 'shadow', and 'group' # files, below. # # allowed values: {no, yes} cache = no # Reload the cache every 600 seconds (10mins). 0 to disable. cache_reload = 600 # # Define the locations of the normal passwd, shadow, and # group files. # # 'shadow' is commented out by default, because not all # systems have shadow passwords. # # To force the module to use the system password functions, # instead of reading the files, leave the following entries # commented out. # # This is required for some systems, like FreeBSD, # and Mac OSX. # # passwd = /etc/passwd # shadow = /etc/shadow # group = /etc/group # # The location of the "wtmp" file. # This should be moved to it's own module soon. # # The only use for 'radlast'. If you don't use # 'radlast', then you can comment out this item. # radwtmp = ${logdir}/radwtmp } # Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication (Auth-Type := LDAP) # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks ldap ldap1 { server = "gmcnhs1.glasgowmet.ac.uk" port = 636 #==== # identity = "cn=sambaProxy,o=GMC" # password = "" identity = "cn=GMET-RADIUS,ou=STUDENTS,ou=USERS,o=GMC" password = "radius" #==== basedn = "ou=BUILTENV,ou=STUDENTS,ou=USERS,o=GMC" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" #basedn = "ou=STUDENTS,ou=USERS,o=GMC" #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no tls_mode = yes # tls_cacertfile = /radius_certs/gmet-tree.b64 tls_cacertfile = /etc/raddb/certs/gmet-tree.b64 # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" #access_attr = "dialupAccess" access_attr_used_for_allow = no # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # Set: password_attribute = nspmPassword access_attr_used_for_allow = no # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # # # Un-comment the following to disable Novell eDirectory account # policy check and intruder detection. This will work *only if* # FreeRADIUS is configured to build with --with-edir option. # edir_account_policy_check=yes # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} set_auth_type = no } ldap ldap2 { server = "gmcnhs1.glasgowmet.ac.uk" port = 636 #==== # identity = "cn=sambaProxy,o=GMC" # password = "" identity = "cn=GMET-RADIUS,ou=STUDENTS,ou=USERS,o=GMC" password = "radius" basedn = "ou=COMMSMED,ou=STUDENTS,ou=USERS,o=GMC" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" #basedn = "ou=STUDENTS,ou=USERS,o=GMC" #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no tls_mode = yes # tls_cacertfile = /radius_certs/gmet-tree.b64 tls_cacertfile = /etc/raddb/certs/gmet-tree.b64 # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" #access_attr = "dialupAccess" access_attr_used_for_allow = no # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # Set: password_attribute = nspmPassword access_attr_used_for_allow = no # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # # # Un-comment the following to disable Novell eDirectory account # policy check and intruder detection. This will work *only if* # FreeRADIUS is configured to build with --with-edir option. # edir_account_policy_check=yes # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} set_auth_type = no } authorize { # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. # # It also adds the %{Client-IP-Address} attribute to the request. preprocess # # If you want to have a log of authentication requests, # un-comment the following line, and the 'detail auth_log' # section, above. # auth_log # attr_filter # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set chap # # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap1 ldap2 # authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. # digest # # Pluggable Authentication Modules. # pam # # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # unix # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap1 ldap2 } # # Allow EAP authentication. eap } I am new freeradius so any help would be appreciated. Performed a debug and received. Error: Cannot find a configuration entry for module ldap. Error: radiusd.conf [2018] unknown module ldap Error: radiuse.conf [2018] failed to parse ldap entry. version of freeradius 1.1.7 Miles -- View this message in context: http://freeradius.1045715.n5.nabble.com/Multiple-modules-entries-tp3405254p3... Sent from the FreeRadius - User mailing list archive at Nabble.com.