|
hi all,
i have a very strange problem:
i used freeradius 0.8.1 and with the following parts of radiusd.conf:
authorize {
preprocess fixusername1 fixusername2
suffix
files } authenticate { authtype
LDAP{
redundant { LDAP1 LDAP2 } } }
in users:
DEFAULT Ldap-Group == "disable", Auth-Type := Reject
DEFAULT Auth-Type := LDAP
Everything seems work fine although LDAP1 or LDAP2 is down. I can
authenticate without problems.
But, the problem appear. You can see that i reject the ldap-group "disable"
users. This part work fine too.
I can reject them if both LDAP1 and LDAP2 is up. Anyway, if LDAP2 is down,
i can't reject the users who is in "disable" group.
The clients can authenticate successfully if they enter correct password
although they are in "disable" group.
Then, I try to turn on the debug mode and found that ldap_groupcmp() just
run in LDAP2 . If it is down and it won't switch to LDAP1 to compare,
the "group compare" is failed and the radius allow the users access.
How can i config so that the ldap_groupcmp() will solve the problem?
Thank you
( Note: the radius can switch to use LDAP1 to do authentication if LDAP2 is
down but not the "group compare")
Brian
|
