[EMAIL PROTECTED] writes: > i am running freeradius-1.0.2-5.5
> there are 3 ldap instances: > ldap1,ldap2,ldap3. > > and authenticate them all after another in the authentication section like > this: > > authenticate { > ldap1 > ldap2 > ldap3 > } > > same in authorize-section: > > authorize { > ldap1 > ldap2 > ldap3 > } > > now my problem is, that if the user x is authenticated at ldap2 for instance > the authorization fails cause the user isnt found at ldap1 (freeradius > doesnt seem to try authorizing on ldap2 or ldap3) > > what i need would be a solution how to realize the following needs: > > if authentication runs over ldap1 authorize on ldap1 > if authentication runs over ldap1 authorize on ldap2 > if authentication runs over ldap1 authorize on ldap3 > > how can i do that? I assume you meant if authentication runs over ldap1 authorize on ldap1 if authentication runs over ldap2 authorize on ldap2 if authentication runs over ldap3 authorize on ldap3 The authenticate processing should set Auth-Type to an unique value for each instance. If you're using the default schema, then you can do that by adding a radiusAuthType ldap attribute to each user. Or maybe better: Use a default profile to set the appropriate radiusAuthType for each ldap instance. E.g. add something like this to the directories: ldap1: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP1 ldap2: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP2 ldap3: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP3 And then in radiusd.conf: modules { .. ldap ldap1 { .. default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" .. } ldap ldap2 { .. default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" .. } ldap ldap3 { .. default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" .. } } .. authorize { Auth-Type LDAP1 { ldap1 } Auth-Type LDAP2 { ldap2 } Auth-Type LDAP3 { ldap3 } } Note: This would be a lot easier with freeradius-1.1, where I believe something like this would have been sufficient since rlm_ldap now sets Auth-Type to the instance name by default: authorize { Auth-Type ldap1 { ldap1 } Auth-Type ldap2 { ldap2 } Auth-Type ldap3 { ldap3 } } Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html