Correct, it is unable to find the user. When set at a higher context I receive the following error:
rlm_ldap: performing search in o=wheaton, with filter (cn=testacct) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed
My ldap config is as follows. If I change the basedn to where the user is located (ou=cs,ou=srvc,o=wheaton) then it works.
ldap test-ldap{ server = "ldapserver.wheaton.edu" identity = "cn=admin,o=wheaton" password = password basedn = "o=wheaton" filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" start_tls = yes
tls_cacertfile = /etc/raddb/certs/wheatonCA/wheatonca.b64 tls_require_cert = "demand"
access_attr = "cn" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = nspmPassword timeout = 4 timelimit = 3 net_timeout = 1 }
matt...
Is it possible to specify the basedn above where the users are actually located and have freeradius find the user in a subcontext? For instance if my ldap is setup as ou=users1,ou=loc1,o=org and ou=users2,ou=loc2,ou=o=org can I specify basedn="o=org" and find users in both users1 and users2?
Hmmm, I thought it did a subtree search, maybe not. You could use configurable_failover to search both trees. in radiusd.conf make two ldap instances with the same config except the basedn. ldap ldap1 { config with one basedn } ldap ldap2 { config with other basedn } in authorize section define them as a group authorize { group { ldap1 ldap2 } }