hello,
thax to all responders!
i solved the prob now ;-)
there was missing the a line which says, the notfound ist NOT a return:
authtype LDAP {
redundant {
ldap1 {
notfound = 1 <--- this was missing!
}
ldap2
handled
}
}
Bye chris
>>> [EMAIL PROTECTED] 18.04.2005 15:13:21 >>>
> Hello,
>
> i tried to implement freeradius 0.8 with two ldapservers for authentication.
> i want freeradius to check the one ldap-server first, if user not found, the
> other server shoud be asked.
>
> But the second server will only be used by the radius-server, if the first
> server is unreachable. If user is not found in server ldap1 freeradius says:
>
> rlm_ldap: object not found or got ambiguous search result
> ldap_release_conn: Release Id: 0
> modcall[authenticate]: module "ldap1" returns notfound
> modcall: group authtype returns notfound
> auth: Failed to validate the user.
>
>
> Can anyone help me?
>
> Best regards
>
> chris
>
>
>
I have it working with 1.0.1, perhaps you need to upgrade? Below I listed
a few differences in our configs.
> _____________________________________________
>
>
> ldapconfig in "radiusd.conf":
> ldap ldap1 {
> server = "sldap1.mydomain.de"
> identity = "cn=user,o=level1"
> password = ""
> basedn = "o=level1"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> start_tls = no
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> ldap_connections_number = 5
> password_attribute = userPassword
> timeout = 4
> timelimit = 3
> net_timeout = 1
> notfound = 1
** I don't believe notfound = 1 belongs here. Might be harmless, but I
don't think putting this here will do anything.
> }
>
>
> ldapconfig in radiusd.conf:
> ldap ldap2 {
> server = "sldap2.mydomain.de"
> identity = "cn=user,o=level1"
> password = ""
> basedn = "o=level2"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> start_tls = no
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> ldap_connections_number = 5
> password_attribute = userPassword
> timeout = 4
> timelimit = 3
> net_timeout = 1
> notfound = 1
> }
>
>
> authorize {
> preprocess
> chap
> mschap
> suffix
> files
> autztype LDAP {
> redundant {
> ldap1
> ldap2
> notfound = 1
> }
> }
> }
>
Mine looks like this.
authorize {
preprocess
auth_log
suffix
files
redundant {
ldap1
ldap2
notfound = return
}
}
>
>
> authenticate {
> authtype PAP {
> pap
> }
> authtype CHAP {
> chap
> }
> authtype MS-CHAP {
> mschap
> }
> unix
>
> authtype LDAP {
> ldap1
> ldap2
> }
> }
Mine looks like this (I only use ldap, but perhaps is the authtype vs
Auth-Type.
authenticate {
Auth-Type LDAP {
ldap1
ldap2
}
}
> preacct {
> preprocess
> suffix
> files
> }
>
>
> file "user" contains:
> DEFAULT Auth-Type := LDAP
> Fall-Through = 1
You shouldn't need to set this here. Freeradius should figure it out.
>
> DEFAULT Service-Type == Framed-User
> Framed-IP-Address = 255.255.255.254,
> Framed-MTU = 576,
> Service-Type = Framed-User,
> Fall-Through = Yes
> DEFAULT Framed-Protocol == PPP
> Framed-Protocol = PPP,
> Framed-Compression = Van-Jacobson-TCP-IP
> DEFAULT Hint == "CSLIP"
> Framed-Protocol = SLIP,
> Framed-Compression = Van-Jacobson-TCP-IP
> DEFAULT Hint == "SLIP"
> Framed-Protocol = SLIP
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.+-Šwèþ˱ÊâmïîžË±Êâmäžz�m§ÿðÃ�ëyêÚv+¬¢¸?–+-þë�®Èmš
