Ok, very good. I'm gonna try this. Thanks a lot. Regards, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA
> -----Message d'origine----- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la > part de Dusty Doris > Envoyé : mardi 20 septembre 2005 16:12 > À : FreeRadius users mailing list > Objet : Re: Multiple LDAPS > > > > Hi, > > > > I was wondering if there's a way to look for users in > differents LDAP trees > > and/or servers depending of the suffix (@something) in the > login. If it's > > possible could someone show me the config ? > > Thanks in advance. > > > > > Sure. First you need to define two ldap configs in radiusd.conf. > Instead of just having ldap {, you define ldap and then a > name for each > instance and include all the config entries under it. > > ldap ldap1 { > server > basedn > ... > } > > ldap ldap2 { > ... > } > > Then in the authorize section you do this. > > authorize { > Autz-Type ldap1 { > ldap1 > } > Autz-Type ldap2 { > ldap2 > } > } > > Then in authenticate, you do > > authenticate { > Auth-Type ldap1 { > ldap1 > } > Auth-Type ldap2 { > ldap2 > } > } > > Now, in the users file you can specify which to use based on > the realm. > Make sure you enable the suffix module to use suffix for realms. > > > DEFAULT Realm == "somerealm.com", Autz-Type := ldap1, > Auth-Type := ldap1 > > DEFAULT Realm == "otherrealm.com", Autz-Type := ldap2, > Auth-Type := ldap2 > > DEFAULT Auth-Type := Reject > > The users file is parsed top to bottom. In this instance say > a username > comes over as [EMAIL PROTECTED] It will match on the first > line and > will then use your settings in ldap1 for authorization and > authentication. > By default you will not fall-through to any other rules. > > A user comes in with [EMAIL PROTECTED], it will not match > the first and > will fall through to the second line. There it will match > and use ldap2. > > A user comes in with [EMAIL PROTECTED], it will not > match the first > two and hit the last rule, which will reject the user. Of course you > could do something else at this point and maybe make it hit a > different > type of authentication for other realms if you'd like. > > You can read more in doc/Autz-Type. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
