LDAP auth in two sources

tnt at kalik.net tnt at kalik.net
Wed Nov 25 20:51:34 CET 2009


> radiusd: FreeRADIUS Version 1.1.3, for host
> x86_64-redhat-linux-gnu, built on Apr 25 2007 at 09:04:23

Upgrade.

http://wiki.freeradius.org/Red_Hat_FAQ#Current_Pre-built_RPM.27s_for_RHEL_5_and_CentOS_5

> I need to make an authorization of some RADIUS clients in
> LDAP by RADIUS. Clients need only to check passwords. I can
> check this in ONE LDAP server at a time without problems.
> It's work fine. But i need some different.
>
> I need to check user/password in TWO different LDAP server.
> If ANY of LDAPs tell "password is ok" RADIUS must accept
> this userid/passwd pair. Userlists in this two LDAP have
> some overlap. Most (but not all) of the users presents in
> BOTH of LDAP servers. Passwords between LDAP servers are
> different.
>
> With curent configuration i get this:
>
> if username aren't found in first LDAP lets proceed to the
> next
> if username aren't found in second LDAP lets DENY access

You probably don't need that after upgrade. Just force Auth-Type LDAP in
users file.

> if username is found in first LDAP and password is accepted
> by first LDAP lets ALLOW access.
> if username is found in first LDAP and password aren't
> accepted by first LDAP lets DENY access.
>
> RADIUS doesn't check password in the second LDAP server. I
> know why but i doesn't know how to change this behavior.

Create failover inside Auth-Type LDAP:

Auth-Type LDAP {
     tam {
          reject = 2
          }
     if(reject) {
          lotus
     }
}

Ivan Kalik




More information about the Freeradius-Users mailing list