freeradius & ldap with two trees

Ben Plimpton bplimpton at sopris.net
Tue Apr 25 21:46:04 CEST 2006


Try this in your radiusd.conf:

 basedn = "ou=%{Huntgroup-Name},ou=radius,dc=mtaonline,dc=net"

You will need to either rename your "dial" huntgroup to "people" to
match your ldap structure or you can change the profile OU to be dial.
Either way, this setup is working for me.

Ben
On Tue, 2006-04-25 at 11:30 -0800, Terry J Fike Jr wrote:
> Okay, i want radius to look at two trees in ldap, one tree for dial-up 
> one tree for dsl (so a user with a static ip in dsl gets a dynamic ip in 
> dial-up).
> 
> my huntgroup is like this:
> 
> dial	ip1
> dial	ip2
> dial	ip on local box for testing
> 
> dsl	ip3
> dsl	ip4
> dsl	ip on local box for testing
> 
> with the ip on local box commented out on the one i'm not testing.
> 
> my users file is like so (at least, the two lines i'm testing with):
> 
> DEFAULT Huntgroup-Name == dial, Ldap-Group == dial, User-Profile := 
> "uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := 
> `uid=%{User-Name},ou=people,dc=mtaonline,dc=net`
>          Fall-Through = no
> 
> DEFAULT Huntgroup-Name == dsl, Ldap-Group == dsl8m, User-Profile := 
> "uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := 
> `uid=%{User-Name},ou=dsl,dc=mtaonline,dc=net`
>          Fall-Through = no
> 
> DEFAULT Auth-Type := Reject
>          Reply-Message = "Please call the help desk."
> 
> my ldap config in the radiusd.conf is as follows:
> 
>          ldap {
>                  server = "private ip"
>                  identity = "cn=Manager,dc=mtaonline,dc=net"
>                  password = somepassword
>                  basedn = "ou=people,dc=mtaonline,dc=net"
>                  #basedn = "dc=mtaonline,dc=net"
> 
>                  filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>                  base_filter = "(objectclass=radiusprofile)"
>                  start_tls = no
>                  tls_mode = no
> #this maps ldap attributetypes to radius attributes
> 		dictionary_mapping = ${raddbdir}/ldap.attrmap
> 		ldap_cache_timeout = 120
> 		ldap_cache_size = 0
> 		ldap_connections_number = 10
> 		#password_header = {clear}
> 		password_attribute = userPassword
> 		groupname_attribute = radiusGroupName
> 		groupmembership_filter = 
> (&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))
> 		groupmembership_attribute = radiusGroupName
> 		timeout = 3
>                  timelimit = 5
>                  net_timeout = 1
>                  compare_check_items = no
> 
> if i test with a user on the tree listed in basedn, it works.  if i try 
> to test with a user in a different tree, it fails.  if i try a basedn 
> one level up (so i can try to go down both trees) both users receive an 
> Auth-Reject please call the help desk.  in radiusd -X the reason is 
> because ldap is finding multiple entries for the user (in two plus trees).
> 
> i've gone through the documentation multiple times (and feel like i'm 
> missing something).  what am i doing wrong? or is there no way to do 
> what i'm trying to do?
> 
> i suppose it comes down to; is there a way to re-define the basedn in 
> either huntgroups, or on a default line in the users file so the search 
> comes up with a single user.
> 
> thanks for your help
> t-
> 



More information about the Freeradius-Users mailing list