freeradius & ldap with two trees

Terry J Fike Jr tfike at mtasolutions.com
Tue Apr 25 21:30:07 CEST 2006 

Okay, i want radius to look at two trees in ldap, one tree for dial-up 
one tree for dsl (so a user with a static ip in dsl gets a dynamic ip in 
dial-up).

my huntgroup is like this:

dial	ip1
dial	ip2
dial	ip on local box for testing

dsl	ip3
dsl	ip4
dsl	ip on local box for testing

with the ip on local box commented out on the one i'm not testing.

my users file is like so (at least, the two lines i'm testing with):

DEFAULT Huntgroup-Name == dial, Ldap-Group == dial, User-Profile := 
"uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := 
`uid=%{User-Name},ou=people,dc=mtaonline,dc=net`
         Fall-Through = no

DEFAULT Huntgroup-Name == dsl, Ldap-Group == dsl8m, User-Profile := 
"uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := 
`uid=%{User-Name},ou=dsl,dc=mtaonline,dc=net`
         Fall-Through = no

DEFAULT Auth-Type := Reject
         Reply-Message = "Please call the help desk."

my ldap config in the radiusd.conf is as follows:

         ldap {
                 server = "private ip"
                 identity = "cn=Manager,dc=mtaonline,dc=net"
                 password = somepassword
                 basedn = "ou=people,dc=mtaonline,dc=net"
                 #basedn = "dc=mtaonline,dc=net"

                 filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                 base_filter = "(objectclass=radiusprofile)"
                 start_tls = no
                 tls_mode = no
#this maps ldap attributetypes to radius attributes
		dictionary_mapping = ${raddbdir}/ldap.attrmap
		ldap_cache_timeout = 120
		ldap_cache_size = 0
		ldap_connections_number = 10
		#password_header = {clear}
		password_attribute = userPassword
		groupname_attribute = radiusGroupName
		groupmembership_filter = 
(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))
		groupmembership_attribute = radiusGroupName
		timeout = 3
                 timelimit = 5
                 net_timeout = 1
                 compare_check_items = no

if i test with a user on the tree listed in basedn, it works.  if i try 
to test with a user in a different tree, it fails.  if i try a basedn 
one level up (so i can try to go down both trees) both users receive an 
Auth-Reject please call the help desk.  in radiusd -X the reason is 
because ldap is finding multiple entries for the user (in two plus trees).

i've gone through the documentation multiple times (and feel like i'm 
missing something).  what am i doing wrong? or is there no way to do 
what i'm trying to do?

i suppose it comes down to; is there a way to re-define the basedn in 
either huntgroups, or on a default line in the users file so the search 
comes up with a single user.

thanks for your help
t-

-- 
Terry J Fike Jr
System Administrator
MTA Solutions
907-793-4100
tfike at mtasolutions.com

More information about the Freeradius-Users mailing list