LDAP basedn context

Dustin Doris freeradius at mail.doris.cc
Tue Jun 14 20:29:42 CEST 2005


> > > Correct, it is unable to find the user.  When set at a
> > higher context I receive the following error:
> > >
> > > rlm_ldap: performing search in o=wheaton, with filter (cn=testacct)
> > > rlm_ldap: object not found or got ambiguous search result
> > > rlm_ldap: search failed
> > >
> > > My ldap config is as follows.  If I change the basedn to
> > where the user is located (ou=cs,ou=srvc,o=wheaton) then it works.
> > >
> > >         ldap test-ldap{
> > >                 server = "ldapserver.wheaton.edu"
> > >                 identity = "cn=admin,o=wheaton"
> > >                 password = password
> > >                 basedn = "o=wheaton"
> > >                 filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
> > >                 start_tls = yes
> > >
> > >                 tls_cacertfile  =
> > /etc/raddb/certs/wheatonCA/wheatonca.b64
> > >                 tls_require_cert        = "demand"
> > >
> > >                 access_attr = "cn"
> > >                 dictionary_mapping = ${raddbdir}/ldap.attrmap
> > >                 ldap_connections_number = 5
> > >                 password_attribute = nspmPassword
> > >                 timeout = 4
> > >                 timelimit = 3
> > >                 net_timeout = 1
> > >         }
> > >
> > > matt...
> > >
> > >
> > > >> Is it possible to specify the basedn above where the
> > users are actually
> > > >> located and have freeradius find the user in a
> > subcontext?  For instance
> > > >> if my ldap is setup as ou=users1,ou=loc1,o=org and
> > > >> ou=users2,ou=loc2,ou=o=org can I specify basedn="o=org"
> > and find users
> > > >> in both users1 and users2?
> > > >>
> >
> >
> > Hmmm, I thought it did a subtree search, maybe not.  You could use
> > configurable_failover to search both trees.
>
> FWIW, I am taking advantage of subtree search and it works fine.  I don't
> see anything in his setup that would prevent it from happening.
>

I thought you could do subtree.

Matt,

Although that looks like an admin type of user (perhaps even rootdn).  If
not, does the user you are binding with have proper permissions to do
subtree searches?  What does your ACL on the ldap server look like?

What does a search from the command line give you?

$ ldapsearch -D "cn=admin,o=wheaton" -w password -b o=wheaton
"(cn=testacct)"






More information about the Freeradius-Users mailing list