> The above problem line should be: > rlm_ldap: bind as uid=username, ou=People, > dc=university,dc=edu,c=us/test123 to > openldap.university.edu:1744 > However, it is taking the userdn from the ad server which > gave the first authorize ok. What I need is for it to > attempt to authenticate with the appropriate userdn > depending on which server it is authenticating to. So it > would use the userdn from AD authenticating to the AD server > and the openldap userdn when authenticating to the openldap > server. >
I see what is happening, that's a tough one. You are passing both authorization modules since the username is the same for your search filter. Then it tries to bind with the first DN that passed the authorization, but that is the incorrect DN since you want to use the openldap version of that user. The easiest method to work around this right away, is if there is something coming in the packet that will tell you whether this should be an AD or openldap user. If that's the case, then you can make a rule specifying which Autz type and Auth type to use. For example. Say all AD users come from nas-ip of 1.1.1.1 and all openldap users come from nas-ip of 1.1.1.2. In users file. DEFAULT NAS-IP-Address == 1.1.1.1, Autz-Type := ldap1, Auth-Type := ldap2 DEFAULT NAS-IP-Address == 1.1.1.2, Autz-Type := ldap2, Auth-Type := ldap2 DEFAULT Auth-Type := Reject That would get you what you want. Note that it doesn't have to be nas-ip, you can go off any radius attribute that is consistantly in those auth requests. However, if there is nothing identifying whether it should be an AD lookup vs an openldap lookup, then its going to be harder. ( I think - although I don't know the internals, so a developer could answer this better). The overlap of the names makes it hard. Are these actually different users, with the same RDN or are they the same user that exists in both AD and openldap? I'd have to think about this a bit based on your answer to see if I can think of anything. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
