Multiple LDAP (Not failover) lookup...

Eric Martell workoutexcite at
Tue Nov 7 22:41:39 CET 2006

Thanks so much Neal. You got it 95% right. The problem
is FreeRadius always authorize first (no matter what
the order in radiusd.conf) and then authenticate.

authorize {

authenticate {

So if the user fails in ldap2 ..module "ldap2" returns
notfound for request user xyz and thus continues to
authentication module. 

(****This authorize should break the sequence and
return FAIL. I tried ldap2 { fail = return } but no
help...still returns notfound ****)

And same user in "ldap1" returns ok for request user
xyz in authentication.

Finally FreeRadius returns "Sending Access-Accept"
(Status of ldap1 auth) to the request.

Technically it should authenticate and then authorize
and send the group response (AND) of both.

Please let me know.
Thanks in advance.

--- "Garber, Neal" <Neal.Garber at> wrote:

> > If(authentication in ldap1 success) {
> Use ldap1 in the authenticate stage of radiusd.conf
> > 	if(productCode attribute exists in ldap2 success)
> {
> Use ldap2 in the authorize stage of radiusd.conf
> Authorize is performed first in FreeRadius (you show
> authenticate
> First), but it shouldn't matter for what you're
> trying to do.  
> Configure ldap.attrmap to obtain the productCode
> attribute.
> - 
> List info/subscribe/unsubscribe? See

Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail.

More information about the Freeradius-Users mailing list