jeff donovan wrote:
I made two changes. and it worked.,.. not sure if it the best syntax, but it's the first time I got both systems to call back.
authorize {
ldap1 if (notfound) { ldap2 }
This is OK.
if (reject) { ldap2 }
This doesn't do anything. If ldap1 rejects the user (which it won't in the "authorize" section), then it will *immediately* return reject. i.e. the "if reject" line won't be reached.
authenticate {
Auth-Type LDAP { ldap1{ reject = 1 ok = return } ldap2 { reject = 1 ok = return } }
This is wrong, too. You've forced "Auth-Type := LDAP" somewhere in your config. You could instead use "set_auth_type" in the modules/ldap configuration. It's recommended to *not* use it, but it's fine here. Then, just do: authenticate { ... ldap1 ldap2 ... } If the "ldap1" module finds the user, it sets Auth-Type = "ldap1". And the same for ldap2. This means that there are fewer queries to ldap1 in the "authenticate" phase. That's nice. Alan DeKok.