On May 4, 2012, at 3:58 PM, Tobias Hachmer wrote:
On 04.05.2012 21:05, jeff donovan wrote:
Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group LDAP {...} [ldap1] login attempt by "drfoo" with password "XxXxXxX" [ldap1] user DN: uid=drfoo,cn=users,dc=ldap2,dc=example.com [ldap1] (re)connect to ldap1.example.com:389, authentication 1 [ldap1] bind as uid=drfoo,cn=users,dc=ldap2,dc=example.com/XxXxXxX to ldap1.example.com:389 [ldap1] waiting for bind result ... [ldap1] Bind failed with invalid credentials ++[ldap1] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...}
OK, so what happened here? The ldap bind has failed! That's not the failure message that the user you want to authenticate has wrong credentials. Be sure you configured the ldap modules correctly or send the whole radiusd -X debug output.
greetings sorry i snipped the bottom off , I didn't think it relevant since nothing happened after it tried to auth on ldap1. Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> drfoo attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 158 to 10.135.1.15 port 65478 Waking up in 4.9 seconds. Cleaning up request 2 ID 158 with timestamp +22 Ready to process requests. and that is correct. The user does not exist on LDAP1, his records are on LDAP2, which it finds, but it trys to auth against ldap1 ( which will fail ). I need it to step to ldap2 I thought the result code was " reject " so under authentication if result of ldap1 = reject try ldap2. Auth-Type LDAP { ldap1 if (reject) { ldap2 } }