Re: Two LDAP-Servers
This is a discussion on Re: Two LDAP-Servers within the FreeRADIUS Users forums, part of the Networking and Network Related category; > Hello, > > i tried to implement freeradius 0.8 with two ldapservers for authentication. > i want freeradius ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-18-2005
|
|||
|
|||
Re: Two LDAP-Servers
> Hello, > > i tried to implement freeradius 0.8 with two ldapservers for authentication. > i want freeradius to check the one ldap-server first, if user not found, the other server shoud be asked. > > But the second server will only be used by the radius-server, if the first server is unreachable. If user is not found in server ldap1 freeradius says: > > rlm_ldap: object not found or got ambiguous search result > ldap_release_conn: Release Id: 0 > modcall[authenticate]: module "ldap1" returns notfound > modcall: group authtype returns notfound > auth: Failed to validate the user. > > > Can anyone help me? > > Best regards > > chris > > > I have it working with 1.0.1, perhaps you need to upgrade? Below I listed a few differences in our configs. > _____________________________________________ > > > ldapconfig in "radiusd.conf": > ldap ldap1 { > server = "sldap1.mydomain.de" > identity = "cn=user,o=level1" > password = "" > basedn = "o=level1" > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > start_tls = no > dictionary_mapping = ${raddbdir}/ldap.attrmap > ldap_connections_number = 5 > password_attribute = userPassword > timeout = 4 > timelimit = 3 > net_timeout = 1 > notfound = 1 ** I don't believe notfound = 1 belongs here. Might be harmless, but I don't think putting this here will do anything. > } > > > ldapconfig in radiusd.conf: > ldap ldap2 { > server = "sldap2.mydomain.de" > identity = "cn=user,o=level1" > password = "" > basedn = "o=level2" > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > start_tls = no > dictionary_mapping = ${raddbdir}/ldap.attrmap > ldap_connections_number = 5 > password_attribute = userPassword > timeout = 4 > timelimit = 3 > net_timeout = 1 > notfound = 1 > } > > > authorize { > preprocess > chap > mschap > suffix > files > autztype LDAP { > redundant { > ldap1 > ldap2 > notfound = 1 > } > } > } > Mine looks like this. authorize { preprocess auth_log suffix files redundant { ldap1 ldap2 notfound = return } } > > > authenticate { > authtype PAP { > pap > } > authtype CHAP { > chap > } > authtype MS-CHAP { > mschap > } > unix > > authtype LDAP { > ldap1 > ldap2 > } > } Mine looks like this (I only use ldap, but perhaps is the authtype vs Auth-Type. authenticate { Auth-Type LDAP { ldap1 ldap2 } } > preacct { > preprocess > suffix > files > } > > > file "user" contains: > DEFAULT Auth-Type := LDAP > Fall-Through = 1 You shouldn't need to set this here. Freeradius should figure it out. > > DEFAULT Service-Type == Framed-User > Framed-IP-Address = 255.255.255.254, > Framed-MTU = 576, > Service-Type = Framed-User, > Fall-Through = Yes > DEFAULT Framed-Protocol == PPP > Framed-Protocol = PPP, > Framed-Compression = Van-Jacobson-TCP-IP > DEFAULT Hint == "CSLIP" > Framed-Protocol = SLIP, > Framed-Compression = Van-Jacobson-TCP-IP > DEFAULT Hint == "SLIP" > Framed-Protocol = SLIP > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
|
Linear Mode
