freeradius with multiple ldap servers

Ivan Kalik tnt at kalik.net
Tue Jul 1 10:27:36 CEST 2008 

ldap ldap1 {
..
}

ldap ldap2 {
..
}

Ivan Kalik
Kalik Informatika ISP


Dana 1/7/2008, "Sambuddho Chakravarty" <sc2516 at columbia.edu> piše:

>Hello
> But this never really worked. I did exactly this . The ldap1 and ldap2
>are files with the follwoing
>
>/etc/raddb/modules/ldap1----------------------------------------------------------------
>
>ldap {
>        server = "30.0.0.2"
>        basedn = "ou=People,cu=example,c=com"
>        filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>        port = 389
>        ldap_connections_number = 5
>
>        timeout = 40
>
>        timelimit = 30
>	net_timeout = 10
>        tls {
>                start_tls = no
>
>                 require_cert   = "demand"
>        }
>
>        dictionary_mapping = ${confdir}/ldap.attrmap
>	 edir_account_policy_check = no
>}
>
>
>/etc/raddb/modules/ldap2---------------------------------------
>
>ldap {
>        server = "10.0.0.1"
>        basedn = "ou=People,cu=example,c=com"
>        filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>        port = 389
>        ldap_connections_number = 5
>
>        timeout = 40
>
>        timelimit = 30
>	net_timeout = 10
>        tls {
>                start_tls = no
>
>                 require_cert   = "demand"
>        }
>
>        dictionary_mapping = ${confdir}/ldap.attrmap
>	 edir_account_policy_check = no
>}
>
>----------------------------------------------------------------------------------
>
>The only difference in both files is the LDAP server IP address . When I
>did as I mentioned in my previous email and executed /sbin/radiusd -X -C
>the execution ended with the following error
>
>
> Module: Checking authenticate {...} for more modules to load
>//etc/raddb/radiusd.conf[757]: Failed to find module "ldap1".
>//etc/raddb/radiusd.conf[756]: Errors parsing authenticate section.
> }
>
>
>Also , one more observation, when having a single LDAP server and when
>it actually worked fine, the debug messages showed
>
>found rlm_pap. While I think it should be showing rlm_ldap . Why is this
>so. But authentication worked fine and the client received a
>ACCESS-ACCEPT message as reply.
>
>Thanks
>Sambuddho
>
>
>
>
>On Thu, 2008-06-19 at 13:50 -0400, Sambuddho Chakravarty wrote:
>> Do you mean something like this
>>
>>   authorize {
>> 	redundant {
>> 	 ldap1
>> 	ldap2
>>          }
>> 	}
>>
>>    authenticate {
>> 	ldap1
>> 	ldap2
>> 	}
>>
>> The reason I list them here is to use them for authentication against
>> multiple LDAP servers whose configuration information is in the two
>> files modules/ldap1 and modules/ldap2. Does this look valid ?
>>
>> Thanks
>> Sambuddho
>>
>> On Thu, 2008-06-19 at 09:35 +0200, Alan DeKok wrote:
>> > Sambuddho Chakravarty wrote:
>> > > Yes , but on a freeradius-2.05 , when I create a separate authenticate
>> > > {} and authorize {} subsection and plug in the following :
>> > >
>> > > authorize {
>> > >        Autz-Type LDAP {
>> >
>> >   You don't need to use Autz-Type in 2.0.
>> >
>> > > authenticate {
>> > >        Auth-Type LDAP{
>> > >         redundant{
>> >
>> >   Don't use redundant sections here.  Just list the two LDAP modules
>> > independently.  The LDAP server that was used in the authorize section
>> > will ensure that it is also used in the authenticate section.
>> >
>> > >           ${confdir}/modules/ldap1
>> >
>> >   And I hope that's not what I think it is.
>> >
>> > > It doesn't work.
>> >
>> >   See the FAQ for "it doesn't work".
>> >
>> > > Here the ldap1 and ldap2 are two separate files in
>> > > the /etc/raddb/modules directory and have separate ldap server IP
>> > > addresses. Can anyone please point out to me where I am going wrong ?
>> >
>> >   Lots.  The major one is that you are putting the module
>> > *configuration* into the authorize and authenticate sections.  I have no
>> > idea why you think that's a good idea.  The examples included in the
>> > server DO NOT DO THIS.
>> >
>> >   The files in the "modules" directory belong in the "modules" section
>> > of radiusd.conf.  This is documented in the comments, and in many examples.
>> >
>> >   The entries in the "authorize" and "authenticate" sections are simply
>> > a one-word reference to the name of a module.  Again, this is documented
>> > in the comments and in many examples.
>> >
>> >   Alan DeKok.
>> > -
>> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

More information about the Freeradius-Users mailing list