LDAP basedn context
Zawacki Jason D Contr AFRL/IFOS
Jason.Zawacki at rl.af.mil
Tue Jun 14 19:30:29 CEST 2005
> -----Original Message-----
> From: freeradius-users-bounces at lists.freeradius.org
> [mailto:freeradius-users-bounces at lists.freeradius.org] On
> Behalf Of Dustin Doris
> Sent: Tuesday, June 14, 2005 12:51 PM
> To: FreeRadius users mailing list
> Subject: Re:LDAP basedn context
>
>
> > Correct, it is unable to find the user. When set at a
> higher context I receive the following error:
> >
> > rlm_ldap: performing search in o=wheaton, with filter (cn=testacct)
> > rlm_ldap: object not found or got ambiguous search result
> > rlm_ldap: search failed
> >
> > My ldap config is as follows. If I change the basedn to
> where the user is located (ou=cs,ou=srvc,o=wheaton) then it works.
> >
> > ldap test-ldap{
> > server = "ldapserver.wheaton.edu"
> > identity = "cn=admin,o=wheaton"
> > password = password
> > basedn = "o=wheaton"
> > filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
> > start_tls = yes
> >
> > tls_cacertfile =
> /etc/raddb/certs/wheatonCA/wheatonca.b64
> > tls_require_cert = "demand"
> >
> > access_attr = "cn"
> > dictionary_mapping = ${raddbdir}/ldap.attrmap
> > ldap_connections_number = 5
> > password_attribute = nspmPassword
> > timeout = 4
> > timelimit = 3
> > net_timeout = 1
> > }
> >
> > matt...
> >
> >
> > >> Is it possible to specify the basedn above where the
> users are actually
> > >> located and have freeradius find the user in a
> subcontext? For instance
> > >> if my ldap is setup as ou=users1,ou=loc1,o=org and
> > >> ou=users2,ou=loc2,ou=o=org can I specify basedn="o=org"
> and find users
> > >> in both users1 and users2?
> > >>
>
>
> Hmmm, I thought it did a subtree search, maybe not. You could use
> configurable_failover to search both trees.
FWIW, I am taking advantage of subtree search and it works fine. I don't
see anything in his setup that would prevent it from happening.
>
> in radiusd.conf make two ldap instances with the same config
> except the
> basedn.
>
> ldap ldap1 {
> config with one basedn
> }
>
> ldap ldap2 {
> config with other basedn
> }
>
> in authorize section define them as a group
>
> authorize {
> group {
> ldap1
> ldap2
> }
> }
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list