Re: Multiple LDAP (Not failover) lookup...
Thanks Alan. I figured it out. It should be ldap2 { notfound = reject } as ldap2 is returning notfound status. Thanks so much again. --- Alan DeKok [EMAIL PROTECTED] wrote: Eric Martell [EMAIL PROTECTED] wrote: Thanks so much Neal. You got it 95% right. The problem is FreeRadius always authorize first (no matter what the order in radiusd.conf) and then authenticate. Yes, that's how the server works. (This authorize should break the sequence and return FAIL. I tried ldap2 { fail = return } but no help...still returns notfound ) See doc/configurable_failover. You may want: ... ldap2 { fail = reject } ... Technically it should authenticate and then authorize and send the group response (AND) of both. Then... configure it to do that. The default behavior is that a notfound error is NOT fatal, because another module or database may find the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Cheap talk? Check out Yahoo! Messenger's low PC-to-Phone call rates. http://voice.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple LDAP (Not failover) lookup...
Hi... I need to do multiple ldap lookups (2).. The purpose of both the ldaps are different so it does not abide with configurable_failover scenario in a way. ldap1. This ldap is solely used for authentication for given user. ldap2. This ldap is solely used for checking ldap attribute ex. productCode for given user. User exists in BOTH The ldaps but in ldap2 we don't store the password hash. So its just userid with given attributes. Here is what should happen for a given user. If(authentication in ldap1 success) { if(productCode attribute exists in ldap2 success) { return Access-Accept. } else { return Access-Reject. } } else { return Access-Reject. } Any inputs will be greatly appreciated. Thanks in advance. Sponsored Link Try Netflix today! With plans starting at only $5.99 a month what are you waiting for? http://www.netflix.com/Signup?mqso=80010030 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple LDAP (Not failover) lookup...
If(authentication in ldap1 success) { Use ldap1 in the authenticate stage of radiusd.conf if(productCode attribute exists in ldap2 success) { Use ldap2 in the authorize stage of radiusd.conf Authorize is performed first in FreeRadius (you show authenticate First), but it shouldn't matter for what you're trying to do. Configure ldap.attrmap to obtain the productCode attribute. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple LDAP (Not failover) lookup...
Thanks so much Neal. You got it 95% right. The problem is FreeRadius always authorize first (no matter what the order in radiusd.conf) and then authenticate. authorize { . . . ldap2 } authenticate { . . . ldap1 } So if the user fails in ldap2 ..module ldap2 returns notfound for request user xyz and thus continues to authentication module. (This authorize should break the sequence and return FAIL. I tried ldap2 { fail = return } but no help...still returns notfound ) And same user in ldap1 returns ok for request user xyz in authentication. Finally FreeRadius returns Sending Access-Accept (Status of ldap1 auth) to the request. Technically it should authenticate and then authorize and send the group response (AND) of both. Please let me know. Thanks in advance. --- Garber, Neal [EMAIL PROTECTED] wrote: If(authentication in ldap1 success) { Use ldap1 in the authenticate stage of radiusd.conf if(productCode attribute exists in ldap2 success) { Use ldap2 in the authorize stage of radiusd.conf Authorize is performed first in FreeRadius (you show authenticate First), but it shouldn't matter for what you're trying to do. Configure ldap.attrmap to obtain the productCode attribute. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail. http://new.mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple LDAP (Not failover) lookup...
Eric Martell [EMAIL PROTECTED] wrote: Thanks so much Neal. You got it 95% right. The problem is FreeRadius always authorize first (no matter what the order in radiusd.conf) and then authenticate. Yes, that's how the server works. (This authorize should break the sequence and return FAIL. I tried ldap2 { fail = return } but no help...still returns notfound ) See doc/configurable_failover. You may want: ... ldap2 { fail = reject } ... Technically it should authenticate and then authorize and send the group response (AND) of both. Then... configure it to do that. The default behavior is that a notfound error is NOT fatal, because another module or database may find the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html