Two Ldaps Authentication
fvt3
fvt3 at yahoo.com
Fri Jun 16 18:44:29 CEST 2006
Alan,
This is what I have in my radius.conf
Autz-Type LDAP1{
ldap_ldap1{
invalid=return
}
ldap_ldap2
}
Auth-Type LDAP1 {
redundant{
ldap_ldap1{
}
ldap_ldap2
}
users file
DEFAULT Auth-Type = LDAP1
Fall-Through = No,
Reply-Message = "ldap login"
I'm forcing radius to lookup user in ldap1(ldap) and
ldap2(Active Directory). The same user name can
reside on both db backend. With this setup, radius
only works if the user name does not exist on both db.
If user John is on both db, it would only
authenticate off LDAP1 and not in LDAP2.
Here is my log
rlm_ldap: performing xer authorization for user
radix_xlat: '(uid=user)'
radix_xlat: 'dc=x,dc=x,dc=x,dc=x'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=x,dc=x,dc=x,dc=x,
with filter (uid=user)
rlm_ldap: performing search in
uid=user,ou=x,dc=x,dc=x,dc=x,dc=x, with filter
(objectclass=radixprofile)
rlm_ldap: object not found or got ambiguox search
result
rlm_ldap: default_profile/xer-profile search failed
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: xer user authorized to xe remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap_ldap1" returns ok
for request 1
rlm_ldap: - authorize
rlm_ldap: performing xer authorization for user
radix_xlat: '(SamAccountName=user)'
radix_xlat: 'cn=xers,dc=xsd,dc=test'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to x.x.x.x:389, authentication 0
rlm_ldap: bind as
cn=svcauth,cn=xers,dc=xsd,dc=test/wireless to
x.x.x.x:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in cn=xers,dc=xsd,dc=test,
with filter (SamAccountName=user)
rlm_ldap: performing search in
uid=user,ou=people,dc=x,dc=x,dc=x,dc=x, with filter
(objectclass=radixprofile)
rlm_ldap: ldap_search() failed: Referral
rlm_ldap: default_profile/xer-profile search failed
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: xer user authorized to xe remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap_ldap2" returns ok
for request 1
modcall: leaving group LDAP1 (returns ok) for request
1
rad_check_xssword: Found Auth-Type LDAP1
auth: type "LDAP1"
Processing the authenticate section of radixd.conf
modcall: entering group LDAP1 for request 1
modcall: entering group redundant for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by "user" with xssword
"xssword"
rlm_ldap: xer DN:
uid=user,ou=people,dc=x,dc=x,dc=x,dc=x
rlm_ldap: (re)connect to x.x.x.x:389, authentication 1
rlm_ldap: bind as
uid=user,ou=x,dc=x,dc=x,dc=x,dc=x/xssword to
x.x.x.x:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
modcall[authenticate]: module "ldap_ldap1" returns
reject for request 1
modcall: leaving group redundant (returns reject) for
request 1
modcall: leaving group LDAP1 (returns reject) for
request 1
auth: Failed to validate the xer.
Login incorrect (rlm_ldap: Bind as xer failed): [user]
(from client localhost port 1812)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Alan DeKok <aland at nitros9.org> wrote:
> fvt3 <fvt3 at yahoo.com> wrote:
> > Hi, I am trying to setup Freedius to have multiple
> > ldap authentication. I want to authenticate off
> > ldap1, then ldap2 then mysql.
>
> No, you don't. For one, MySQL doesn't do
> authentication. Neither
> does LDAP, really.
>
> What you probably mean is that you want to look
> the user up in
> ldap1, or ldap2, or mysql.
>
> > In the users file I have:
> > DEFAULT Autz-Type := "LDAP1", Auth-Type = "LDAP1"
> > Fall-Through = Yes,
> > Reply-Message = "ldap"
> >
> > DEFAULT Autz-Type := "LDAP2", Auth-Type = "LDAP2"
>
> Read "man users". The second entry is
> over-writing the first one.
> So the first one is useless.
>
> > With this setup, radius is skipping ldap1 and go
> > directly to ldap2. How can I force it to read
> ldap1
> > then ldap2 in the user file.
>
> You don't. The "users" file isn't meant to do
> that.
>
> If you want to look users up in ldap1, then ldap2
> if they're not in
> ldap1, see doc/configurable_failover.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the Freeradius-Users
mailing list