Multiple LDAP (Not failover) lookup...

Alan DeKok aland at
Wed Nov 8 00:12:16 CET 2006

Eric Martell <workoutexcite at> wrote:
> Thanks so much Neal. You got it 95% right. The problem
> is FreeRadius always authorize first (no matter what
> the order in radiusd.conf) and then authenticate.

  Yes, that's how the server works.

> (****This authorize should break the sequence and
> return FAIL. I tried ldap2 { fail = return } but no
> help...still returns notfound ****)

  See doc/configurable_failover.  You may want:

  ldap2 {
	fail = reject

> Technically it should authenticate and then authorize
> and send the group response (AND) of both.

  Then... configure it to do that.  The default behavior is that a
"notfound" error is NOT fatal, because another module or database may
find the user.

  Alan DeKok.
--       - The web site of the book - The blog

More information about the Freeradius-Users mailing list