multiple ldap servers::solved::
Alan DeKok
aland at deployingradius.com
Sat May 5 11:09:44 CEST 2012
jeff donovan wrote:
> I made two changes. and it worked.,.. not sure if it the best syntax, but it's the first time I got both systems to call back.
>
> authorize {
>
> ldap1
> if (notfound) {
> ldap2
> }
This is OK.
> if (reject) {
> ldap2
> }
This doesn't do anything. If ldap1 rejects the user (which it won't
in the "authorize" section), then it will *immediately* return reject.
i.e. the "if reject" line won't be reached.
> authenticate {
>
> Auth-Type LDAP {
> ldap1{
> reject = 1
> ok = return
> }
> ldap2 {
> reject = 1
> ok = return
> }
> }
This is wrong, too. You've forced "Auth-Type := LDAP" somewhere in
your config. You could instead use "set_auth_type" in the modules/ldap
configuration. It's recommended to *not* use it, but it's fine here.
Then, just do:
authenticate {
...
ldap1
ldap2
...
}
If the "ldap1" module finds the user, it sets Auth-Type = "ldap1".
And the same for ldap2.
This means that there are fewer queries to ldap1 in the "authenticate"
phase. That's nice.
Alan DeKok.
More information about the Freeradius-Users
mailing list