freeradius with multiple ldap servers
Sambuddho Chakravarty
sc2516 at columbia.edu
Tue Jul 1 07:52:07 CEST 2008
Hello
But this never really worked. I did exactly this . The ldap1 and ldap2
are files with the follwoing
/etc/raddb/modules/ldap1----------------------------------------------------------------
ldap {
server = "30.0.0.2"
basedn = "ou=People,cu=example,c=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
port = 389
ldap_connections_number = 5
timeout = 40
timelimit = 30
net_timeout = 10
tls {
start_tls = no
require_cert = "demand"
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
/etc/raddb/modules/ldap2---------------------------------------
ldap {
server = "10.0.0.1"
basedn = "ou=People,cu=example,c=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
port = 389
ldap_connections_number = 5
timeout = 40
timelimit = 30
net_timeout = 10
tls {
start_tls = no
require_cert = "demand"
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
----------------------------------------------------------------------------------
The only difference in both files is the LDAP server IP address . When I
did as I mentioned in my previous email and executed /sbin/radiusd -X -C
the execution ended with the following error
Module: Checking authenticate {...} for more modules to load
//etc/raddb/radiusd.conf[757]: Failed to find module "ldap1".
//etc/raddb/radiusd.conf[756]: Errors parsing authenticate section.
}
Also , one more observation, when having a single LDAP server and when
it actually worked fine, the debug messages showed
found rlm_pap. While I think it should be showing rlm_ldap . Why is this
so. But authentication worked fine and the client received a
ACCESS-ACCEPT message as reply.
Thanks
Sambuddho
On Thu, 2008-06-19 at 13:50 -0400, Sambuddho Chakravarty wrote:
> Do you mean something like this
>
> authorize {
> redundant {
> ldap1
> ldap2
> }
> }
>
> authenticate {
> ldap1
> ldap2
> }
>
> The reason I list them here is to use them for authentication against
> multiple LDAP servers whose configuration information is in the two
> files modules/ldap1 and modules/ldap2. Does this look valid ?
>
> Thanks
> Sambuddho
>
> On Thu, 2008-06-19 at 09:35 +0200, Alan DeKok wrote:
> > Sambuddho Chakravarty wrote:
> > > Yes , but on a freeradius-2.05 , when I create a separate authenticate
> > > {} and authorize {} subsection and plug in the following :
> > >
> > > authorize {
> > > Autz-Type LDAP {
> >
> > You don't need to use Autz-Type in 2.0.
> >
> > > authenticate {
> > > Auth-Type LDAP{
> > > redundant{
> >
> > Don't use redundant sections here. Just list the two LDAP modules
> > independently. The LDAP server that was used in the authorize section
> > will ensure that it is also used in the authenticate section.
> >
> > > ${confdir}/modules/ldap1
> >
> > And I hope that's not what I think it is.
> >
> > > It doesn't work.
> >
> > See the FAQ for "it doesn't work".
> >
> > > Here the ldap1 and ldap2 are two separate files in
> > > the /etc/raddb/modules directory and have separate ldap server IP
> > > addresses. Can anyone please point out to me where I am going wrong ?
> >
> > Lots. The major one is that you are putting the module
> > *configuration* into the authorize and authenticate sections. I have no
> > idea why you think that's a good idea. The examples included in the
> > server DO NOT DO THIS.
> >
> > The files in the "modules" directory belong in the "modules" section
> > of radiusd.conf. This is documented in the comments, and in many examples.
> >
> > The entries in the "authorize" and "authenticate" sections are simply
> > a one-word reference to the name of a module. Again, this is documented
> > in the comments and in many examples.
> >
> > Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list