Re: Multiple LDAP search

2010-08-04 Thread Gary Prosser 
Our setup (see below) works in the way you describe: if a valid username
is found in ldap1 return ok otherwise (notfound) OR (fail) look in
ldap2; if found return ok otherwise (notfound) OR (fail) look in ldap3
etc

modules

ldap ldap1 {

server = "localhost"
basedn = "ou=TrinityStudentLogins,dc=our-domain"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 3
}
ldap ldap2 {
config for different ldap server or different ou
}
ldap ldap3 {
config for different ldap server or different ou
}

authorise {
preprocess
chap
mschap
suffix

redundant {
ldap1 {
fail = 1
noop = 2
notfound = 3
ok = return
reject = return
userlock = return
invalid = return
}
ldap2 {
fail = 1
noop = 2
notfound = 3
ok = return
reject = return
userlock = return
invalid = return
}
ldap3 {
fail = 1
noop = 2
notfound = 3
ok = return
reject = return
userlock = return
invalid = return
}

authenticate {
  ldap1
  ldap2
  ldap3
  chap
}

Gary Prosser

-  
IT Manager
Trinity College, Bristol (http://www.trinity-bris.ac.uk)


-Original Message-
From: Wayne Van der Merwe 
Reply-To: FreeRadius users mailing list

To: freeradius-users@lists.freeradius.org
Subject: Multiple LDAP search
Date: Wed, 4 Aug 2010 14:09:00 +0200

Hi all

I got LDAP working on FreeRADIUS Version 2.1.8, with SUSE 10.1

Now i need to do the following if the user is not found in the 1st LDAP
search, that searches in o=EC, then it must search again in o=HLT.

I would like to know where to create these files.

Thank you
Wayne van der Merwe



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


To ensure you receive email from Trinity College into your inbox, please add 
@trinity-bris.ac.uk to your email safe list (also known as whitelist).

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple LDAP search

2010-08-04 Thread Alan DeKok 
Wayne Van der Merwe wrote:
> Hi all
> 
> I got LDAP working on FreeRADIUS Version 2.1.8, with SUSE 10.1
> 
> Now i need to do the following if the user is not found in the 1st LDAP
> search, that searches in o=EC, then it must search again in o=HLT.
> 
> I would like to know where to create these files.

  What "files" do you mean?

  The LDAP module doesn't support that kind of search.  You should
configure multiple LDAP modules with different search filters, and use
fail-over.  See "man unlang" and doc/configurable_failover

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Multiple LDAP search

2010-08-04 Thread Wayne Van der Merwe 
Hi all

I got LDAP working on FreeRADIUS Version 2.1.8, with SUSE 10.1

Now i need to do the following if the user is not found in the 1st LDAP
search, that searches in o=EC, then it must search again in o=HLT.

I would like to know where to create these files.

Thank you
Wayne van der Merwe
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple LDAP Search Bases - Per NAS

2006-02-15 Thread Dusty Doris 

Could we configure FreeRadius to look in a different ou, say
ou=dialup,ou=radius,dc=test,dc=com, when it received an authentication
request from the dialup NASes?



Try with huntgroups.

huntgroups file

dialup  NAS-IP-Address == 1.1.1.1
dialup  NAS-IP-Address == 1.1.1.2

adslNAS-IP-Address == 1.1.1.3


Then in your ldap section

basedn = "ou=%{Huntgroup-Name},ou=radius,dc=test,dc=com"


I think that should work, I'd give it a shot with radiusd -X to see.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Multiple LDAP Search Bases - Per NAS

2006-02-15 Thread Ben Plimpton 
Hello all

Is it possible to setup FreeRadius so that requests coming from a
certain NAS will use a different search base than the default?

For example:

We have an ou=radius,dc=test,dc=com and we stick dsl users records in
there.  These user records have attributes that would be dsl specific
like static IP addressing.  We would like to be able to provide users
with a backup dialup in case anything goes really wrong with our dsl
service.  

Could we configure FreeRadius to look in a different ou, say
ou=dialup,ou=radius,dc=test,dc=com, when it received an authentication
request from the dialup NASes?

Is this possible? 

We have also considered running two instances of FreeRadius, one on the
higher ports and one on the lower, and then pointing the DSL customers
to one and the dialup to another, but I would like to avoid this if
there is a cleaner solution that I am not aware of.

Our FreeRadius server is running Fedora Core 4 and FreeRadius 1.0.4
OpenLDAP is our LDAP backend.

Thanks for any replies.

-- 
"Microsoft is not the answer, it's the question.  NO is the answer."

Ben Plimpton
Network Engineer
[EMAIL PROTECTED]
970-963-SURF(7873) ext 5174
www.sopris.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html