FREERADIUS WITH MULTIPLE LDAP AUTHENTICATION SOURCES
Alan DeKok
aland at deployingradius.com
Tue Nov 30 14:50:07 CET 2021
On Nov 30, 2021, at 6:25 AM, Diego Forcella <diego.forcella at c2group.it> wrote:
> I am trying to set up a single freeradius with multiple ldap servers to query. The goal is to have a single freeradius server authenticating users from different tenants.
>
> Ex: user at domain1.com must use only the ldap domain1 {} configuration
> user at domain2.com must use only the ldap domain2 {} configuration
>
> I configured the file /etc/freeradius/3.0/mods-available/ldap in order to have the 2 configurations ldap domain1 {} and ldap domain2 {} and the bind is correct
That's good.
> The problem is that when I run a radtest the user is searched for both on domain1 and on domain2 and then the result is returned only for domain2 because it is the last one that is queried.
Because you listed both modules in the authorization section as:
authorize {
...
domain1
domain2
...
}
The server doesn't know that the "domain1" module is for domain1.com. You have to tell it.
> I would like that if I make a query, domain1 or domain2 is used based on the suffix of the user I am querying
$ man unlang
You can do regular expression matches on the User-Name:
if (User-Name =~ /@domain1.com/) {
domain1
}
elsif (User-Name =~ /@domain2.com/) {
domain2
}
Alan DeKok.
More information about the Freeradius-Users
mailing list