Multiple LDAP (Not failover) lookup...
Eric Martell
workoutexcite at yahoo.com
Tue Nov 7 22:41:39 CET 2006
Thanks so much Neal. You got it 95% right. The problem
is FreeRadius always authorize first (no matter what
the order in radiusd.conf) and then authenticate.
authorize {
.
.
.
ldap2
}
authenticate {
.
.
.
ldap1
}
So if the user fails in ldap2 ..module "ldap2" returns
notfound for request user xyz and thus continues to
authentication module.
(****This authorize should break the sequence and
return FAIL. I tried ldap2 { fail = return } but no
help...still returns notfound ****)
And same user in "ldap1" returns ok for request user
xyz in authentication.
Finally FreeRadius returns "Sending Access-Accept"
(Status of ldap1 auth) to the request.
Technically it should authenticate and then authorize
and send the group response (AND) of both.
Please let me know.
Thanks in advance.
--- "Garber, Neal" <Neal.Garber at energyeast.com> wrote:
> > If(authentication in ldap1 success) {
>
> Use ldap1 in the authenticate stage of radiusd.conf
>
> > if(productCode attribute exists in ldap2 success)
> {
>
> Use ldap2 in the authorize stage of radiusd.conf
>
> Authorize is performed first in FreeRadius (you show
> authenticate
> First), but it shouldn't matter for what you're
> trying to do.
> Configure ldap.attrmap to obtain the productCode
> attribute.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail.
http://new.mail.yahoo.com
More information about the Freeradius-Users
mailing list