Re: multiple ldap servers

jeff donovan Fri, 04 May 2012 16:46:55 -0700

On May 4, 2012, at 3:58 PM, Tobias Hachmer wrote:

> On 04.05.2012 21:05, jeff donovan wrote:
>> Found Auth-Type = LDAP
>> # Executing group from file /etc/freeradius/sites-enabled/default
>> +- entering group LDAP {...}
>> [ldap1] login attempt by "drfoo" with password "XxXxXxX"
>> [ldap1] user DN: uid=drfoo,cn=users,dc=ldap2,dc=example.com
>>  [ldap1] (re)connect to ldap1.example.com:389, authentication 1
>>  [ldap1] bind as uid=drfoo,cn=users,dc=ldap2,dc=example.com/XxXxXxX
>> to ldap1.example.com:389
>>  [ldap1] waiting for bind result ...
>>  [ldap1] Bind failed with invalid credentials
>> ++[ldap1] returns reject
>> Failed to authenticate the user.
>> Using Post-Auth-Type Reject
>> # Executing group from file /etc/freeradius/sites-enabled/default
>> +- entering group REJECT {...}
> 
> OK, so what happened here? The ldap bind has failed! That's not the failure 
> message that the user you want to authenticate has wrong credentials.
> Be sure you configured the ldap modules correctly or send the whole radiusd 
> -X debug output.


greetings
sorry
i snipped the bottom off , I didn't think it relevant since nothing happened 
after it tried to auth on ldap1.

Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> drfoo
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 158 to 10.135.1.15 port 65478
Waking up in 4.9 seconds.
Cleaning up request 2 ID 158 with timestamp +22
Ready to process requests.

and that is correct. The user does not exist on LDAP1, his records are on 
LDAP2, which it finds, but it trys to auth against ldap1 ( which will fail ). I 
need it to step to ldap2

I thought the result code was " reject " so under authentication if result of 
ldap1 = reject try ldap2.
Auth-Type LDAP {
                ldap1
                if (reject) {
                ldap2
                }
        }

smime.p7s
Description: S/MIME cryptographic signature

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: multiple ldap servers

Reply via email to