Help with multiple LDAP servers

Ivan Kalik tnt at kalik.net
Wed Sep 2 18:51:46 CEST 2009 

> Quoting "Ivan Kalik" <tnt at kalik.net>:
>
>> So what does first ldap section return when user is missling - fail or
>> reject (I see you have access attribute configured there)? If it's
>> reject
>> you need unlang (ie 2.x).
>>
>
> Here is my output of radtest with a user on the second LDAP server.
> This server never gets quieried unless the first one is offline.  I
> also made these changes to radiusd.conf after re-reading the
> configurable_failover document.
> I would appreciate some pointers because I am just not getting it.
>
>          redundant {
>
>          rhds_ldap
>                  notfound = 1
>                  ok = return
>          ad_ldap
>                  notfound = 1
>                  ok = return
>          }
>
>
> modcall: entering group authorize for request 0
>    modcall[authorize]: module "preprocess" returns ok for request 0
>      rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
>      rlm_realm: No such realm "NULL"
>    modcall[authorize]: module "suffix" returns noop for request 0
>    rlm_eap: No EAP-Message, not doing EAP
>    modcall[authorize]: module "eap" returns noop for request 0
> modcall: entering group redundant  for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for testuser
> radius_xlat:  '(uid=testuser)'
> radius_xlat:  'dc=xx,dc=xx,dc=xx'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to xx.xx.com:389, authentication 0
> rlm_ldap: bind as cn=ciscoap,ou=System,dc=xx,dc=xx,dc=xx/xxxx to
> xx.xx.com:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=xx,dc=xx,dc=xx, with filter
> (uid=testuser)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
>    modcall[authorize]: module "rhds_ldap" returns notfound for request 0

Ok. You can remove redundant (module is not failing, so no failover
needed). Just list the two modules one below the other.

...
>      users: Matched entry DEFAULT at line 216
...
>    rad_check_password:  Found Auth-Type LDAP
> auth: type "LDAP"

Remove that from users file. Let pap module do the authentication. Ldap
should return the password to radius via ldap.attrmap.

More information about the Freeradius-Users mailing list