Wedel Blake wrote: > ... What I want to do is setup ldap to authenticate against our Windows 2010 > server where the computers are a part of the domain.
AD isn't really an LDAP server. You'll probably need to run Samba. See: http://deployingradius.com/documents/configuration/active_directory.html > I would like for it to query mysql first and then query ldap if it didn't > find the computer in mysql. authorize { ... sql if (notfound) { ldap } ... } Should work for PAP requests. (User-Name / User-Password) > If I remove ldap for the defaults file I get an Access-Accept reply as > expected. It just that if there is anything after sql in the defaults file > then it will continue on to try and authenticate against another module. Use the configuration I posted above. It should help. > Below you can see a simple query with 'blake' being sent as both the > user-name and password. It queries the db and finds it (as expected). > However it continues to go to ldap and tries to find it to which I get an > error. Read raddb/modules/ldap. Look for "operations error" > I understand that I don't have ldap working properly right now. However, > first I just want to get the logic setup to where after finding a name in > mysql it will stop and reply back with an Access-Accept and not query ldap. > Is there a setting you have to put in a conf file? It's a policy you write. There is no "setting" to do if/then/else programming. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
