I would like to ldap bind with username instead of DN

Wessel Louwris wessel at stutit.nl
Fri Jun 19 14:11:59 CEST 2020


Hi,

I would like to bind with the given username and skip the ldapsearch, so I implemented 

	DEFAULT Ldap-UserDN := "%{User-Name}”

in my authorize file (as described on https://wiki.freeradius.org/modules/Rlm_ldap <https://wiki.freeradius.org/modules/Rlm_ldap>).
Unfortunately this seems to be not enough because it’s still binding with the DN:

(6) ldap: Login attempt by "user at company.nl "
(6) ldap: Using user DN from request "uid= user,ou=Users,dc=example,dc=com”    # this is a wrong DN returned by ldapsearch
(6) ldap: Waiting for bind result...
(6) ldap: ERROR: Bind credentials incorrect: Invalid credentials

The reason I want to bind with the given username instead of the DN is that we use Google Secure LDAP with multiple domains.
The LDAP search returns the wrong DN for users with another domain then our main domain. 
For users in my main domain everything works fine.

For example an ldapsearch for user at company.nl <mailto:user at company.nl> on the Google LDAP returns:
	
	dn: uid=user,ou=Users,dc=example,dc=com 

which results in a failed LDAP bind.
where it should return 

	dn: uid=user,dc=company,dc=nl

which would succeed.

I noticed that I can also do a succesful LDAP bind with username:  ldapsearch -W -H googleldapserver  -D user at company.nl  -s sub -b “dc=example,dc=com” 
So binding on username  would be a solution for me.

Does anybody now how I can force binding the DEFAULT Ldap-UserDN := "%{User-Name}” and skip the ldapsearch?


Thanks for any help.

Kind regards,  
Wessel





More information about the Freeradius-Users mailing list