We have freeradius running successfully with 3 ldap instances (one for each of 3 different sets of user credentials, two of which are active directory).
We want to provide to the calling nas in the Access-Accept reply some identifier of the ldap instance that authorizes a user. I have not been able to achieve this. Freeradius -X output shows rlm_ldap: - authorize rlm_ldap: performing user authorization for leesle expand: %{Stripped-User-Name} -> expand: %{User-Name} -> leesle expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (samAccountName=leesle) expand: OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk -> OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk, with filter (samAccountName=leesle) rlm_ldap: checking if remote access for leesle is allowed by samAccountName rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: Setting Auth-Type = ldap1 rlm_ldap: user leesle authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns ok And then two further authorize sections ++[ldap2] returns notfound ++[ldap3] returns notfound Then users: Matched entry DEFAULT at line 159 users: Matched entry DEFAULT at line 163 users: Matched entry DEFAULT at line 167 ++[files] returns ok rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type ldap1 auth: type "ldap1" +- entering group authenticate rlm_ldap: - authenticate rlm_ldap: login attempt by "leesle" with password "xxxxx" rlm_ldap: user DN: CN=Seonghye Lee,OU=Students,DC=PUBLIC,DC=TRINITY-BRIS,DC=AC,DC=UK rlm_ldap: (re)connect to 192.168.4.250:389, authentication 1 rlm_ldap: bind as CN=Seonghye Lee,OU=Students,DC=PUBLIC,DC=TRINITY-BRIS,DC=AC,DC=UK/16763673 to 192.168.4.250:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user leesle authenticated succesfully ++[ldap1] returns ok Login OK: [leesle/xxxxx] (from client esther2-webserver port 0) Sending Access-Accept of id 91 to 192.168.2.1 port 1026 Callback-Id := "TCBStaff" I have tried to put a new attribute into the Access-Accept reply via users file 159 DEFAULT Auth-Type == "ldap1" 160 Callback-Id = "TCBStudents", 161 Fall-Through = Yes 162 # 163 DEFAULT Auth-Type == "ldap2" 164 Callback-Id := "BBCUsers", 165 Fall-Through = Yes 166 # 167 DEFAULT Auth-Type == "ldap3" 168 Callback-Id := "TCBStaff", 169 Fall-Through = Yes Since each line in users apparantly matches, the attribute Callback-Id acquires the value of the last DEFAULT. Meanwhile I was hoping that rlm_ldap: Setting Auth-Type = ldap1 would match only the first. Can I fix this by adjusting the syntax or do I need a different method ? Any comment appreciated ! Gary Prosser - IT Manager Trinity College, Bristol (http://www.trinity-bris.ac.uk) To ensure you receive email from Trinity College into your inbox, please add @trinity-bris.ac.uk to your email safe list (also known as whitelist). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html