Before I go off and start making code changes, I wanted to check if what I'm seeing is expected behavior.
First, some background information (this is with FreeRADIUS 1.0.0-pre0):
We have one FreeRADIUS server configured like this
In the modules section...
ldap local_user {
server = ds1.foo.com
basedn = "ou=People,dc=foo,dc=com" <--- One basedn
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
...
}ldap corporate_user {
server = ds1.bar.com
basedn = "ou=People,dc=bar,dc=com" <--- A different basedn
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
...
}
In the authorize section...
group { local_user {
reject = reject
userlock = reject
ok = return
}
corporate_user {
reject = reject
userlock = reject
ok = return
}
notfound = return
}
In the authenticate section...
Auth-Type LDAP {
group {
local_user {
reject = 1
}
corporate_user
}
}Here is what I see - if a user is 'authorized' by the LDAP server from 'local_user', then an attempt to authenticate that user against the LDAP server from 'local_user' is attempted, using "uid=%{User-Name}, ou=People, dc=foo, dc=com" as the Ldap-UserDN.
If that authentication fails, then it attempts to authenticate against the LDAP server from "corporate_user", with *"uid=%{User-Name}, ou=People, dc=foo, dc=com" as the Ldap-UserDN"* (the same as before) and NOT "uid=%{User-Name}, ou=People, dc=bar, dc=com" as the Ldap-UserDN - Note the different BaseDNs defined for both servers.
In a nutshell, rlm_ldap doesn't appear to get the right BaseDN or it just uses the BaseDN from whatever ldap instance 'authorized' the user. Is that expected behavior ? Or should it use the BaseDN from the ldap instance described in the 'authenticate' section ?
Long story about why we have two LDAP servers with different basedns and why a user would need to authenticate off of either one, I won't go into that here. Suffice it to say we're in transition.
Any insight is appreciated, Craig
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
