multiple ldap servers

jeff donovan jdonovan at beth.k12.pa.us
Sat May 5 01:40:24 CEST 2012 

On May 4, 2012, at 3:58 PM, Tobias Hachmer wrote:

> On 04.05.2012 21:05, jeff donovan wrote:
>> Found Auth-Type = LDAP
>> # Executing group from file /etc/freeradius/sites-enabled/default
>> +- entering group LDAP {...}
>> [ldap1] login attempt by "drfoo" with password "XxXxXxX"
>> [ldap1] user DN: uid=drfoo,cn=users,dc=ldap2,dc=example.com
>>  [ldap1] (re)connect to ldap1.example.com:389, authentication 1
>>  [ldap1] bind as uid=drfoo,cn=users,dc=ldap2,dc=example.com/XxXxXxX
>> to ldap1.example.com:389
>>  [ldap1] waiting for bind result ...
>>  [ldap1] Bind failed with invalid credentials
>> ++[ldap1] returns reject
>> Failed to authenticate the user.
>> Using Post-Auth-Type Reject
>> # Executing group from file /etc/freeradius/sites-enabled/default
>> +- entering group REJECT {...}
> 
> OK, so what happened here? The ldap bind has failed! That's not the failure message that the user you want to authenticate has wrong credentials.
> Be sure you configured the ldap modules correctly or send the whole radiusd -X debug output.

greetings
sorry
i snipped the bottom off , I didn't think it relevant since nothing happened after it tried to auth on ldap1.

Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> drfoo
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 158 to 10.135.1.15 port 65478
Waking up in 4.9 seconds.
Cleaning up request 2 ID 158 with timestamp +22
Ready to process requests.

and that is correct. The user does not exist on LDAP1, his records are on LDAP2, which it finds, but it trys to auth against ldap1 ( which will fail ). I need it to step to ldap2

I thought the result code was " reject " so under authentication if result of ldap1 = reject try ldap2.
Auth-Type LDAP {
		ldap1
		if (reject) {
		ldap2
		}
	}


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2497 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120504/a0f76f71/attachment.bin>

More information about the Freeradius-Users mailing list