freeradius & ldap with two trees

Terry J Fike Jr tfike at
Tue Apr 25 21:30:07 CEST 2006

Okay, i want radius to look at two trees in ldap, one tree for dial-up 
one tree for dsl (so a user with a static ip in dsl gets a dynamic ip in 

my huntgroup is like this:

dial	ip1
dial	ip2
dial	ip on local box for testing

dsl	ip3
dsl	ip4
dsl	ip on local box for testing

with the ip on local box commented out on the one i'm not testing.

my users file is like so (at least, the two lines i'm testing with):

DEFAULT Huntgroup-Name == dial, Ldap-Group == dial, User-Profile := 
"uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := 
         Fall-Through = no

DEFAULT Huntgroup-Name == dsl, Ldap-Group == dsl8m, User-Profile := 
"uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := 
         Fall-Through = no

DEFAULT Auth-Type := Reject
         Reply-Message = "Please call the help desk."

my ldap config in the radiusd.conf is as follows:

         ldap {
                 server = "private ip"
                 identity = "cn=Manager,dc=mtaonline,dc=net"
                 password = somepassword
                 basedn = "ou=people,dc=mtaonline,dc=net"
                 #basedn = "dc=mtaonline,dc=net"

                 filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                 base_filter = "(objectclass=radiusprofile)"
                 start_tls = no
                 tls_mode = no
#this maps ldap attributetypes to radius attributes
		dictionary_mapping = ${raddbdir}/ldap.attrmap
		ldap_cache_timeout = 120
		ldap_cache_size = 0
		ldap_connections_number = 10
		#password_header = {clear}
		password_attribute = userPassword
		groupname_attribute = radiusGroupName
		groupmembership_filter = 
		groupmembership_attribute = radiusGroupName
		timeout = 3
                 timelimit = 5
                 net_timeout = 1
                 compare_check_items = no

if i test with a user on the tree listed in basedn, it works.  if i try 
to test with a user in a different tree, it fails.  if i try a basedn 
one level up (so i can try to go down both trees) both users receive an 
Auth-Reject please call the help desk.  in radiusd -X the reason is 
because ldap is finding multiple entries for the user (in two plus trees).

i've gone through the documentation multiple times (and feel like i'm 
missing something).  what am i doing wrong? or is there no way to do 
what i'm trying to do?

i suppose it comes down to; is there a way to re-define the basedn in 
either huntgroups, or on a default line in the users file so the search 
comes up with a single user.

thanks for your help

Terry J Fike Jr
System Administrator
MTA Solutions
tfike at

More information about the Freeradius-Users mailing list