Help with multiple LDAP servers

AJ aj at mindcrash.com
Wed Sep 2 15:42:56 CEST 2009 

Hi,
  I know this has been discussed before on the list and there is  
documentation for this, but I have literally spent days on this and I  
cannot get the result that I am looking for.  I am hoping someone can  
share a configuration with me that works.  Basically, I am looking to  
have radius authenticate to two LDAP servers one after the other.  It  
is not a true failover or load balance situation, as both servers need  
to be queried at the same time.  Basically, I want the first LDAP  
server to be queried for a username/password, then if the user is not  
found, try the second one.  I did not extend the schema on either LDAP  
server, and I do not really want to do that if at all possible, since  
I am just using freeradius for authentication.  One a side note, if I  
just use one LDAP server in the configuration, it works fine.  I can  
authenticate to both LDAP servers if I only list one.  What seems to  
happen with this configuration is that it only trys the first LDAP  
server, and if the user does not exist, it quits right there and does  
not try the second (ad_ldap).  Any help would be greatly appreciated.   
I am running the following version of freeradius:

radiusd -v:
radiusd: FreeRADIUS Version 1.1.3

rpm -qa | grep freeradius:
freeradius-1.1.3-1.2.el5

Here are the relevant parts of my config:

$sysconfdir/raddb/radiusd.conf:

modules {
         ldap rhds_ldap {
                 server = "xxx.xxx.com"
                 identity = "cn=ciscoap,ou=System,dc=xx,dc=xx,dc=xx"
                 password = "xxxx"
                 basedn = "dc=xx,dc=xx,dc=xx"
                 filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                 base_filter = "(objectclass=DUser)"
                 start_tls = no
                 access_attr = "uid"
                 dictionary_mapping = ${raddbdir}/ldap.attrmap
                 ldap_connections_number = 5
                 timeout = 4
                 timelimit = 3
                 net_timeout = 1
         }

         ldap ad_ldap {
                 server = "yyy.yyy.com"
                 identity = "CN=CiscoAP,CN=Users,DC=yy,DC=yy"
                 password = "yyyy"
                 basedn = "dc=yy,dc=yy"
                 filter =  
"(samAccountName=%{Stripped-User-Name:-%{User-Name}})"
                 base_filter = "(objectclass=person)"
                 start_tls = no
                 access_attr = "samAccountName"
                 dictionary_mapping = ${raddbdir}/ldap.attrmap
                 ldap_connections_number = 5
                 timeout = 4
                 timelimit = 3
                 net_timeout = 1
         }
}

authorize {
         redundant {

         rhds_ldap
         rhds_ldap
         notfound = reject
         }
}

authenticate {
         Auth-Type LDAP {
                 rhds_ldap
                 ad_ldap
         }
}


$sysconfdir/raddb/users: (added)


DEFAULT         Auth-Type := LDAP
                 Fall-Through = Yes

$sysconfdir/raddb/ldap.attrmap:  (added)

checkItem       User-Password                   userPassword

More information about the Freeradius-Users mailing list