Help with Multiple AD/LDAP

Ryan Kramer rkramer at gmail.com
Mon Jun 11 18:02:49 CEST 2007


it works!  Just a quick followup for anyone else that might run into it...
You need to define the DEFAULT users.conf entry differently as it can apply
to different servers individually.

DEFAULT LDAP1-Ldap-Group == "WIFIUSER"
        Filter-ID = "WIFIUSER",
        Fall-Through=0

DEFAULT LDAP2-Ldap-Group == "WIFIUSER"
        Filter-ID = "WIFIUSER",
        Fall-Through=0

DEFAULT LDAP3-Ldap-Group == "WIFIUSER"
        Filter-ID = "WIFIUSER",
        Fall-Through=0


works perfectly...

Ryan Kramer




On 6/11/07, Ryan Kramer <rkramer at gmail.com> wrote:
>
> Hello,
>
> I'm working on a new config to allow multiple AD servers to be hit, and am
> running into a problem.  Just a quick background, I have one server that has
> multiple root level OU's with users under it.  It may not be the recommended
> design, but for our needs it is suitable.  I've set up freeradius with three
> unique ldap entries, all connecting to the same AD server but under
> different OU's.
>
> Anyway, in users.conf I've got this:
>
> DEFAULT Ldap-Group == "WIFIUSER"
>         Filter-ID = "WIFIUSER",
>         Fall-Through=1
>
>
> radiusd.conf
>
> authorize {
> ...
> LDAP1
> LDAP2
> LDAP3
> }
>
>
> which will return group=WIFIUSER in the accept-accept if the user is in
> the WIFIUSER AD group.  The problem is it only works if the user exists in
> the last LDAP entry that is listed.  it will still return an accept-accept,
> but no group, if they aren't in the last OU.  (In the example above, a user
> in the LDAP1 OU would not get the WIFUSER group accept-accept, even though
> they are in it.  Moving LDAP1 to the bottom would make it work.
>
> Any suggestions?
>
> Ryan Kramer
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070611/dd3d5431/attachment.html>


More information about the Freeradius-Users mailing list