Help with Multiple AD/LDAP
Ryan Kramer
rkramer at gmail.com
Mon Jun 11 18:02:49 CEST 2007
it works! Just a quick followup for anyone else that might run into it...
You need to define the DEFAULT users.conf entry differently as it can apply
to different servers individually.
DEFAULT LDAP1-Ldap-Group == "WIFIUSER"
Filter-ID = "WIFIUSER",
Fall-Through=0
DEFAULT LDAP2-Ldap-Group == "WIFIUSER"
Filter-ID = "WIFIUSER",
Fall-Through=0
DEFAULT LDAP3-Ldap-Group == "WIFIUSER"
Filter-ID = "WIFIUSER",
Fall-Through=0
works perfectly...
Ryan Kramer
On 6/11/07, Ryan Kramer <rkramer at gmail.com> wrote:
>
> Hello,
>
> I'm working on a new config to allow multiple AD servers to be hit, and am
> running into a problem. Just a quick background, I have one server that has
> multiple root level OU's with users under it. It may not be the recommended
> design, but for our needs it is suitable. I've set up freeradius with three
> unique ldap entries, all connecting to the same AD server but under
> different OU's.
>
> Anyway, in users.conf I've got this:
>
> DEFAULT Ldap-Group == "WIFIUSER"
> Filter-ID = "WIFIUSER",
> Fall-Through=1
>
>
> radiusd.conf
>
> authorize {
> ...
> LDAP1
> LDAP2
> LDAP3
> }
>
>
> which will return group=WIFIUSER in the accept-accept if the user is in
> the WIFIUSER AD group. The problem is it only works if the user exists in
> the last LDAP entry that is listed. it will still return an accept-accept,
> but no group, if they aren't in the last OU. (In the example above, a user
> in the LDAP1 OU would not get the WIFUSER group accept-accept, even though
> they are in it. Moving LDAP1 to the bottom would make it work.
>
> Any suggestions?
>
> Ryan Kramer
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070611/dd3d5431/attachment.html>
More information about the Freeradius-Users
mailing list