Eric Martell <workoutexcite@yahoo.com> wrote:
Thanks so much Neal. You got it 95% right. The problem is FreeRadius always authorize first (no matter what the order in radiusd.conf) and then authenticate.
Yes, that's how the server works.
(****This authorize should break the sequence and return FAIL. I tried ldap2 { fail = return } but no help...still returns notfound ****)
See doc/configurable_failover. You may want: ... ldap2 { fail = reject } ...
Technically it should authenticate and then authorize and send the group response (AND) of both.
Then... configure it to do that. The default behavior is that a "notfound" error is NOT fatal, because another module or database may find the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog