Rob VanDusen wrote:
Yes Phil, that is the unfortunate configuration I have inherited with
the job. This is a school district, they really want to keep each
school building as it's own top-level O. I work in the ESB building,
Ok.
so that was the baseDN I used for testing. I'd rather not have to run
6 different radius boxes, but I can't seem to figure out how to make
the multiple ldap modules work. I found a few how-to's on the web,
but they are for the 1.x version and they don't seem to work with the
2.x version.
Multiple LDAP modules should work; as per the FAQ entry I linked to,
"it's not working" is not very specific. Could you show us what you
tried and the output from "radiusd -X" when it fails.
You would want something like this:
modules {
ldap ldap_esb {
basedn = "o=esb"
}
ldap ldap_sps {
..
}
...etc
}
instantiate {
redundant all_ldap {
ldap_esb
ldap_sps
...etc
}
}
server {
authorize {
preprocess
all_ldap
}
authenticate {
# stuff here depends on auth method
}
}
How are you *authenticating* the users once they're found in LDAP - do
the LDAP servers return plaintext password / password hashes to
FreeRadius and FreeRadius does the authentication, or does Freeradius
need to do an LDAP "simple bind" against the LDAP server (which will
only work for PAP requests)
If the former (LDAP servers give password/hashed to FR) then each ldap
module should say:
modules {
ldap ldap_xxx {
set_auth_type = no
}
}
...and you should have something like:
server {
authorize {
preprocess
all_ldap
chap
mschap
pap
}
authenticate {
Auth-Type PAP
pap
}
Auth-Type CHAP
chap
}
Auth-Type MS-CHAP
mschap
}
}
}
It the latter i.e. LDAP simple bind, you will need:
modules {
ldap ldap_xxx {
set_auth_type = yes
}
}
...and you should have something like:
server {
authorize {
preprocess
all_ldap
}
authenticate {
Auth-Type ldap_esb {
ldap_esb
}
Auth-Type ldap_xxx {
ldap_xxx
}
...etc
}
}
Obviously the configs above are "sample"; for this setup (which is not
so common) you may need to play a bit. In particular, the above configs
omit several of the standard modules e.g. eap, files, etc. Don't use
them "as-is".
The standard advice applies:
1. start with the default config
2. make small changes
3. test after each change
4. store each working config in a version control repo (e.g. svn) so
if you break it you can compare and go back
Finally, I am making the assumption the usernames are unique across the
entire LDAP tree i.e. there are no duplicates:
cn=jdoe,o=esb
cn=jdoe,o=sps
...if there are, it's going to be very tricky
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
