Help with multiple LDAP servers

Wed, 02 Sep 2009 06:49:28 -0700 

Hi,
I know this has been discussed before on the list and there is documentation for this, but I have literally spent days on this and I cannot get the result that I am looking for. I am hoping someone can share a configuration with me that works. Basically, I am looking to have radius authenticate to two LDAP servers one after the other. It is not a true failover or load balance situation, as both servers need to be queried at the same time. Basically, I want the first LDAP server to be queried for a username/password, then if the user is not found, try the second one. I did not extend the schema on either LDAP server, and I do not really want to do that if at all possible, since I am just using freeradius for authentication. One a side note, if I just use one LDAP server in the configuration, it works fine. I can authenticate to both LDAP servers if I only list one. What seems to happen with this configuration is that it only trys the first LDAP server, and if the user does not exist, it quits right there and does not try the second (ad_ldap). Any help would be greatly appreciated. I am running the following version of freeradius: 

radiusd -v:
radiusd: FreeRADIUS Version 1.1.3

rpm -qa | grep freeradius:
freeradius-1.1.3-1.2.el5

Here are the relevant parts of my config:

$sysconfdir/raddb/radiusd.conf:

modules {
        ldap rhds_ldap {
                server = "xxx.xxx.com"
                identity = "cn=ciscoap,ou=System,dc=xx,dc=xx,dc=xx"
                password = "xxxx"
                basedn = "dc=xx,dc=xx,dc=xx"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                base_filter = "(objectclass=DUser)"
                start_tls = no
                access_attr = "uid"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }

        ldap ad_ldap {
                server = "yyy.yyy.com"
                identity = "CN=CiscoAP,CN=Users,DC=yy,DC=yy"
                password = "yyyy"
                basedn = "dc=yy,dc=yy"

                filter =  
"(samAccountName=%{Stripped-User-Name:-%{User-Name}})"

                base_filter = "(objectclass=person)"
                start_tls = no
                access_attr = "samAccountName"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }
}

authorize {
        redundant {

        rhds_ldap
        rhds_ldap
        notfound = reject
        }
}

authenticate {
        Auth-Type LDAP {
                rhds_ldap
                ad_ldap
        }
}


$sysconfdir/raddb/users: (added)


DEFAULT         Auth-Type := LDAP
                Fall-Through = Yes

$sysconfdir/raddb/ldap.attrmap:  (added)

checkItem       User-Password                   userPassword










-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to