Re: Multiple LDAP (Not failover) lookup...
Thanks Alan. I figured it out. It should be ldap2 { notfound = reject } as ldap2 is returning notfound status. Thanks so much again. --- Alan DeKok [EMAIL PROTECTED] wrote: Eric Martell [EMAIL PROTECTED] wrote: Thanks so much Neal. You got it 95% right. The problem is FreeRadius always authorize first (no matter what the order in radiusd.conf) and then authenticate. Yes, that's how the server works. (This authorize should break the sequence and return FAIL. I tried ldap2 { fail = return } but no help...still returns notfound ) See doc/configurable_failover. You may want: ... ldap2 { fail = reject } ... Technically it should authenticate and then authorize and send the group response (AND) of both. Then... configure it to do that. The default behavior is that a notfound error is NOT fatal, because another module or database may find the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Cheap talk? Check out Yahoo! Messenger's low PC-to-Phone call rates. http://voice.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple LDAP (Not failover) lookup...
If(authentication in ldap1 success) { Use ldap1 in the authenticate stage of radiusd.conf if(productCode attribute exists in ldap2 success) { Use ldap2 in the authorize stage of radiusd.conf Authorize is performed first in FreeRadius (you show authenticate First), but it shouldn't matter for what you're trying to do. Configure ldap.attrmap to obtain the productCode attribute. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple LDAP (Not failover) lookup...
Thanks so much Neal. You got it 95% right. The problem is FreeRadius always authorize first (no matter what the order in radiusd.conf) and then authenticate. authorize { . . . ldap2 } authenticate { . . . ldap1 } So if the user fails in ldap2 ..module ldap2 returns notfound for request user xyz and thus continues to authentication module. (This authorize should break the sequence and return FAIL. I tried ldap2 { fail = return } but no help...still returns notfound ) And same user in ldap1 returns ok for request user xyz in authentication. Finally FreeRadius returns Sending Access-Accept (Status of ldap1 auth) to the request. Technically it should authenticate and then authorize and send the group response (AND) of both. Please let me know. Thanks in advance. --- Garber, Neal [EMAIL PROTECTED] wrote: If(authentication in ldap1 success) { Use ldap1 in the authenticate stage of radiusd.conf if(productCode attribute exists in ldap2 success) { Use ldap2 in the authorize stage of radiusd.conf Authorize is performed first in FreeRadius (you show authenticate First), but it shouldn't matter for what you're trying to do. Configure ldap.attrmap to obtain the productCode attribute. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail. http://new.mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple LDAP (Not failover) lookup...
Eric Martell [EMAIL PROTECTED] wrote: Thanks so much Neal. You got it 95% right. The problem is FreeRadius always authorize first (no matter what the order in radiusd.conf) and then authenticate. Yes, that's how the server works. (This authorize should break the sequence and return FAIL. I tried ldap2 { fail = return } but no help...still returns notfound ) See doc/configurable_failover. You may want: ... ldap2 { fail = reject } ... Technically it should authenticate and then authorize and send the group response (AND) of both. Then... configure it to do that. The default behavior is that a notfound error is NOT fatal, because another module or database may find the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html