ldap basedn assignment

Dusty Doris freeradius at mail.doris.cc
Thu Aug 4 18:59:29 CEST 2005


> The above problem line should be:
> rlm_ldap: bind as uid=username, ou=People,
> dc=university,dc=edu,c=us/test123 to
> openldap.university.edu:1744
> However, it is taking the userdn from the ad server which
> gave the first authorize ok. What I need is for it to
> attempt to authenticate with the appropriate userdn
> depending on which server it is authenticating to. So it
> would use the userdn from AD authenticating to the AD server
> and the openldap userdn when authenticating to the openldap
> server.
>

I see what is happening, that's a tough one.  You are passing both
authorization modules since the username is the same for your search
filter.  Then it tries to bind with the first DN that passed the
authorization, but that is the incorrect DN since you want to use the
openldap version of that user.

The easiest method to work around this right away, is if there is
something coming in the packet that will tell you whether this should be
an AD or openldap user.  If that's the case, then you can make a rule
specifying which Autz type and Auth type to use.

For example.  Say all AD users come from nas-ip of 1.1.1.1 and all
openldap users come from nas-ip of 1.1.1.2.

In users file.

DEFAULT  NAS-IP-Address == 1.1.1.1, Autz-Type := ldap1, Auth-Type := ldap2

DEFAULT  NAS-IP-Address == 1.1.1.2, Autz-Type := ldap2, Auth-Type := ldap2

DEFAULT Auth-Type := Reject

That would get you what you want.  Note that it doesn't have to be nas-ip,
you can go off any radius attribute that is consistantly in those auth
requests.  However, if there is nothing identifying whether it should be
an AD lookup vs an openldap lookup, then its going to be harder.  ( I
think - although I don't know the internals, so a developer could answer
this better).

The overlap of the names makes it hard.  Are these actually different
users, with the same RDN or are they the same user that exists in both AD
and openldap?  I'd have to think about this a bit based on your answer to
see if I can think of anything.





More information about the Freeradius-Users mailing list