Re: Multiple LDAP search
Our setup (see below) works in the way you describe: if a valid username is found in ldap1 return ok otherwise (notfound) OR (fail) look in ldap2; if found return ok otherwise (notfound) OR (fail) look in ldap3 etc modules ldap ldap1 { server = "localhost" basedn = "ou=TrinityStudentLogins,dc=our-domain" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 3 } ldap ldap2 { config for different ldap server or different ou } ldap ldap3 { config for different ldap server or different ou } authorise { preprocess chap mschap suffix redundant { ldap1 { fail = 1 noop = 2 notfound = 3 ok = return reject = return userlock = return invalid = return } ldap2 { fail = 1 noop = 2 notfound = 3 ok = return reject = return userlock = return invalid = return } ldap3 { fail = 1 noop = 2 notfound = 3 ok = return reject = return userlock = return invalid = return } authenticate { ldap1 ldap2 ldap3 chap } Gary Prosser - IT Manager Trinity College, Bristol (http://www.trinity-bris.ac.uk) -Original Message- From: Wayne Van der Merwe Reply-To: FreeRadius users mailing list To: freeradius-users@lists.freeradius.org Subject: Multiple LDAP search Date: Wed, 4 Aug 2010 14:09:00 +0200 Hi all I got LDAP working on FreeRADIUS Version 2.1.8, with SUSE 10.1 Now i need to do the following if the user is not found in the 1st LDAP search, that searches in o=EC, then it must search again in o=HLT. I would like to know where to create these files. Thank you Wayne van der Merwe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html To ensure you receive email from Trinity College into your inbox, please add @trinity-bris.ac.uk to your email safe list (also known as whitelist). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple LDAP search
Wayne Van der Merwe wrote: > Hi all > > I got LDAP working on FreeRADIUS Version 2.1.8, with SUSE 10.1 > > Now i need to do the following if the user is not found in the 1st LDAP > search, that searches in o=EC, then it must search again in o=HLT. > > I would like to know where to create these files. What "files" do you mean? The LDAP module doesn't support that kind of search. You should configure multiple LDAP modules with different search filters, and use fail-over. See "man unlang" and doc/configurable_failover Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple LDAP search
Hi all I got LDAP working on FreeRADIUS Version 2.1.8, with SUSE 10.1 Now i need to do the following if the user is not found in the 1st LDAP search, that searches in o=EC, then it must search again in o=HLT. I would like to know where to create these files. Thank you Wayne van der Merwe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple LDAP Search Bases - Per NAS
Could we configure FreeRadius to look in a different ou, say ou=dialup,ou=radius,dc=test,dc=com, when it received an authentication request from the dialup NASes? Try with huntgroups. huntgroups file dialup NAS-IP-Address == 1.1.1.1 dialup NAS-IP-Address == 1.1.1.2 adslNAS-IP-Address == 1.1.1.3 Then in your ldap section basedn = "ou=%{Huntgroup-Name},ou=radius,dc=test,dc=com" I think that should work, I'd give it a shot with radiusd -X to see. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple LDAP Search Bases - Per NAS
Hello all Is it possible to setup FreeRadius so that requests coming from a certain NAS will use a different search base than the default? For example: We have an ou=radius,dc=test,dc=com and we stick dsl users records in there. These user records have attributes that would be dsl specific like static IP addressing. We would like to be able to provide users with a backup dialup in case anything goes really wrong with our dsl service. Could we configure FreeRadius to look in a different ou, say ou=dialup,ou=radius,dc=test,dc=com, when it received an authentication request from the dialup NASes? Is this possible? We have also considered running two instances of FreeRadius, one on the higher ports and one on the lower, and then pointing the DSL customers to one and the dialup to another, but I would like to avoid this if there is a cleaner solution that I am not aware of. Our FreeRadius server is running Fedora Core 4 and FreeRadius 1.0.4 OpenLDAP is our LDAP backend. Thanks for any replies. -- "Microsoft is not the answer, it's the question. NO is the answer." Ben Plimpton Network Engineer [EMAIL PROTECTED] 970-963-SURF(7873) ext 5174 www.sopris.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html