Different BaseDN for User/Group Objects in rlm_ldap

Michael Schwartzkopff misch at schwartzkopff.org
Wed Jan 9 09:43:49 CET 2013


Am Mittwoch, 9. Januar 2013, 09:29:48 schrieb Rudolph Bott:
> Hi List,
> 
> we are currently using rlm_ldap to check against a LDAP backend, which
> works fine so far. rlm_ldap is configured to use a BaseDN of
> "ou=poeple,dc=example,dc=org". We have also specified a group membership
> filter and are trying to enforce group memberships via the combination
> of huntgroups-file and Ldap-Group-Settings in the users file.
> 
> According to debug output, this seems to work (since freeradius is
> trying to find the groups specified in the users file).
> 
> However, our groups are stored underneath "ou=groups,dc=example,dc=org"
> - so rlm_ldap is not able to find them with the basedn shown above. We
> are also not able to change the basedn to something else, since there is
> a different user-tree underneath dc=example,dc=org which should not be
> taken into account by freeradius.
> 
> Is there is possibility to set a different basedn for group lookups OR
> another feasable solution (e.g. modify the filter...?). Filter and
> groupmembership_filter are currently set to:
> 
> filter                          =
> "(uid=%{Stripped-User-Name:-%{mschap:User-Name}})"
> groupname_attribute             = cn
> groupmembership_filter          =
> "(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{mschap:User-Name
> }})"
> 
> Debug output states this:
> 
> rlm_ldap: performing search in ou=poeple,dc=example,dc=org, with filter
> (&(cn=GROUP-NAME-FROM-USERS-FILE)(objectClass=posixGroup)(memberUid=LOGIN-US
> ER))

Change the baseDN in the ldap module configuration of FR to 
"dc=example,dc=org".

-- 
Dr. Michael Schwartzkopff
Guardinistr. 63
81375 München

Tel: (0163) 172 50 98
Fax: (089) 620 304 13
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130109/45912a50/attachment.html>


More information about the Freeradius-Users mailing list