LDAP basedn context

Zawacki Jason D Contr AFRL/IFOS Jason.Zawacki at rl.af.mil
Tue Jun 14 19:30:29 CEST 2005


> -----Original Message-----
> From: freeradius-users-bounces at lists.freeradius.org 
> [mailto:freeradius-users-bounces at lists.freeradius.org] On 
> Behalf Of Dustin Doris
> Sent: Tuesday, June 14, 2005 12:51 PM
> To: FreeRadius users mailing list
> Subject: Re:LDAP basedn context
> 
> 
> > Correct, it is unable to find the user.  When set at a 
> higher context I receive the following error:
> >
> > rlm_ldap: performing search in o=wheaton, with filter (cn=testacct)
> > rlm_ldap: object not found or got ambiguous search result
> > rlm_ldap: search failed
> >
> > My ldap config is as follows.  If I change the basedn to 
> where the user is located (ou=cs,ou=srvc,o=wheaton) then it works.
> >
> >         ldap test-ldap{
> >                 server = "ldapserver.wheaton.edu"
> >                 identity = "cn=admin,o=wheaton"
> >                 password = password
> >                 basedn = "o=wheaton"
> >                 filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
> >                 start_tls = yes
> >
> >                 tls_cacertfile  = 
> /etc/raddb/certs/wheatonCA/wheatonca.b64
> >                 tls_require_cert        = "demand"
> >
> >                 access_attr = "cn"
> >                 dictionary_mapping = ${raddbdir}/ldap.attrmap
> >                 ldap_connections_number = 5
> >                 password_attribute = nspmPassword
> >                 timeout = 4
> >                 timelimit = 3
> >                 net_timeout = 1
> >         }
> >
> > matt...
> >
> >
> > >> Is it possible to specify the basedn above where the 
> users are actually
> > >> located and have freeradius find the user in a 
> subcontext?  For instance
> > >> if my ldap is setup as ou=users1,ou=loc1,o=org and
> > >> ou=users2,ou=loc2,ou=o=org can I specify basedn="o=org" 
> and find users
> > >> in both users1 and users2?
> > >>
> 
> 
> Hmmm, I thought it did a subtree search, maybe not.  You could use
> configurable_failover to search both trees.

FWIW, I am taking advantage of subtree search and it works fine.  I don't
see anything in his setup that would prevent it from happening.


> 
> in radiusd.conf make two ldap instances with the same config 
> except the
> basedn.
> 
> ldap ldap1 {
>  config with one basedn
> }
> 
> ldap ldap2 {
>   config with other basedn
> }
> 
> in authorize section define them as a group
> 
> authorize {
>   group {
>     ldap1
>     ldap2
>   }
> }
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 



More information about the Freeradius-Users mailing list