LDAP basedn context

Tue Jun 14 18:51:12 CEST 2005

> Correct, it is unable to find the user.  When set at a higher context I receive the following error:
>
> rlm_ldap: performing search in o=wheaton, with filter (cn=testacct)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
>
> My ldap config is as follows.  If I change the basedn to where the user is located (ou=cs,ou=srvc,o=wheaton) then it works.
>
>         ldap test-ldap{
>                 server = "ldapserver.wheaton.edu"
>                 identity = "cn=admin,o=wheaton"
>                 password = password
>                 basedn = "o=wheaton"
>                 filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
>                 start_tls = yes
>
>                 tls_cacertfile  = /etc/raddb/certs/wheatonCA/wheatonca.b64
>                 tls_require_cert        = "demand"
>
>                 access_attr = "cn"
>                 dictionary_mapping = ${raddbdir}/ldap.attrmap
>                 ldap_connections_number = 5
>                 password_attribute = nspmPassword
>                 timeout = 4
>                 timelimit = 3
>                 net_timeout = 1
>         }
>
> matt...
>
>
> >> Is it possible to specify the basedn above where the users are actually
> >> located and have freeradius find the user in a subcontext?  For instance
> >> if my ldap is setup as ou=users1,ou=loc1,o=org and
> >> ou=users2,ou=loc2,ou=o=org can I specify basedn="o=org" and find users
> >> in both users1 and users2?
> >>

Hmmm, I thought it did a subtree search, maybe not.  You could use
configurable_failover to search both trees.

in radiusd.conf make two ldap instances with the same config except the
basedn.

ldap ldap1 {
 config with one basedn
}

ldap ldap2 {
  config with other basedn
}

in authorize section define them as a group

authorize {
  group {
    ldap1
    ldap2
  }
}