On Wed, 25 Nov 2009 19:51:34 -0000 (UTC) tnt@kalik.net wrote: Thank you foк the reply.
radiusd: FreeRADIUS Version 1.1.3, for host x86_64-redhat-linux-gnu, built on Apr 25 2007 at 09:04:23
Upgrade.
http://wiki.freeradius.org/Red_Hat_FAQ#Current_Pre-built_RPM.27s_for_RHEL_5_...
Done. FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Sep 18 2009 at 11:00:13 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
With curent configuration i get this:
if username aren't found in first LDAP lets proceed to the next if username aren't found in second LDAP lets DENY access
You probably don't need that after upgrade. Just force Auth-Type LDAP in users file.
As i doesn't have any other auth rather LDAP it is done automatically. I hope so. ;-)
Create failover inside Auth-Type LDAP:
Auth-Type LDAP { tam { reject = 2 } if(reject) { lotus } }
I have realised something like this in my long road to success. Unfortunately there an issue. LDAP1: uid=username,o=org1 LDAP2: uid=username,o=org2 As you can see "o=org..." is different. -------- rad_recv: Access-Request packet from host 192.168.110.3 port 46057, id=141, length=64 User-Name = "vmendelevich" User-Password = "33333333" NAS-IP-Address = 192.168.110.3 NAS-Port = 10 +- entering group authorize {...} ++- entering group ldap {...} [tam] performing user authorization for vmendelevich [tam] expand: (uid=%{User-Name}) -> (uid=vmendelevich) [tam] expand: o=org1 -> o=org1 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to skoll-vm1.kmz.ts:389, authentication 0 rlm_ldap: bind as / to skoll-vm1.kmz.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=org1, with filter (uid=vmendelevich) [tam] looking for check items in directory... [tam] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [tam] Setting Auth-Type = tam [tam] user vmendelevich authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[tam] returns ok ++- group ldap returns ok Found Auth-Type = tam +- entering group tam {...} [tam] login attempt by "vmendelevich" with password "33333333" [tam] user DN: uid=vmendelevich,o=org1 rlm_ldap: (re)connect to ldap1.ts:389, authentication 1 rlm_ldap: bind as uid=vmendelevich,o=org1/33333333 to ldap1.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials ++[tam] returns reject ++? if (reject) ? Evaluating (reject) -> TRUE ++? if (reject) -> TRUE ++- entering if (reject) {...} [lotus] login attempt by "vmendelevich" with password "33333333" [lotus] user DN: uid=vmendelevich,o=org1 rlm_ldap: (re)connect to ldap2.ts:389, authentication 1 rlm_ldap: bind as uid=vmendelevich,o=org1/33333333 to ldap2.ts:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials +++[lotus] returns reject ++- if (reject) returns reject Failed to authenticate the user. Login incorrect (rlm_ldap: Bind as user failed): [vmendelevich] (from client VMendelevich port 10) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 141 to 192.168.110.3 port 46057 Waking up in 4.9 seconds. Cleaning up request 0 ID 141 with timestamp +223 Ready to process requests. ------------- You can see when radius try to authenticate on the second LDAP (ldap2.ts) it hasn't changed o=org1 to o=org2. This is a problem. we cannot modify any scheme of those two LDAP servers. UIN:9244669 Phone:+7(495)727-0982 ext.4162