Multiple LDAPS

Dusty Doris freeradius at mail.doris.cc
Tue Sep 20 16:12:02 CEST 2005


> Hi,
>
> I was wondering if there's a way to look for users in differents LDAP trees
> and/or servers depending of the suffix (@something) in the login. If it's
> possible could someone show me the config ?
> Thanks in advance.
>


Sure.  First you need to define two ldap configs in radiusd.conf. 
Instead of just having ldap {, you define ldap and then a name for each 
instance and include all the config entries under it.

ldap ldap1 {
   server
   basedn
   ...
}

ldap ldap2 {
   ...
}

Then in the authorize section you do this.

authorize {
   Autz-Type ldap1 {
 	ldap1
   }
   Autz-Type ldap2 {
 	ldap2
   }
}

Then in authenticate, you do

authenticate {
   Auth-Type ldap1 {
 	ldap1
   }
   Auth-Type ldap2 {
 	ldap2
   }
}

Now, in the users file you can specify which to use based on the realm. 
Make sure you enable the suffix module to use suffix for realms.


DEFAULT Realm == "somerealm.com", Autz-Type := ldap1, Auth-Type := ldap1

DEFAULT Realm == "otherrealm.com", Autz-Type := ldap2, Auth-Type := ldap2

DEFAULT Auth-Type := Reject

The users file is parsed top to bottom.  In this instance say a username 
comes over as user at somerealm.com.  It will match on the first line and 
will then use your settings in ldap1 for authorization and authentication. 
By default you will not fall-through to any other rules.

A user comes in with user at otherrealm.com, it will not match the first and 
will fall through to the second line.  There it will match and use ldap2.

A user comes in with user at notarealrealm.com, it will not match the first 
two and hit the last rule, which will reject the user.  Of course you 
could do something else at this point and maybe make it hit a different 
type of authentication for other realms if you'd like.

You can read more in doc/Autz-Type.





More information about the Freeradius-Users mailing list