Markus Krause wrote: > modules { > ... > ldap LdapUser1 { > .... ldapserv1 > } > > ldap LdapUser2 { > .... ldapserv2 > } > ... > } > > authorize { > ... > Autz-Type LdapUser { > redundant { > LdapUser1 > LdapUser2 > } > } > ... > } > > authenticate { > ... > Auth-Type LdapUser { > redundant { > LdapUser1 > LdapUser2 > } > } > ... > }
You should be able to replace this last bit with: authenticate { Auth-Type LdapUser1 { LdapUser1 } Auth-Type LdapUser2 { LdapUser2 } } ...and set the "set_auth_type = yes" on each LDAP module. The general idea is that MODULES should set Auth-Type (to themselves) indicating that they will handle the authenticate phase. Note that the above is still redundant - if the ldap module answered during the authorize phase, there's clearly only a miniscule chance it will have failed by the time authenticate runs. And in fact, if ldap1 succeeds during authorize but fails during authenticate, arguably passing it to ldap2 is an error - example, the user might have just changed their password so ldap1 fails, but ldap2 is still replicating so thinks the old password is valid. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html