rlm_ldap and multiple ldap calls?

JR Mayberry mayberry at loonybin.net
Sun Dec 21 19:28:27 CET 2008

I'm not really sure if I'm doing this right, maybe someone can provide 
guidance. I have two problems a) how to structure my directory and b) how to do 
two lookups in rlm_ldap.

But, effectively, LDAP is our authorization store and I'm proxying RADIUS to an 
RSA server for authentication only. We're removing all authorization from RSA.

So, I've got devices in ou=Hosts,dc=blah,dc=com that are following the ipHost 
objectClass. Basically, I need a mechanism to put those devices into 
'groupOfIpHosts' - which isn't a real concept.

So, I use the 'seeAlso' attribute to reference a group of systems for that 
particular ipHost.

Then, I lookup that group and check if the user authenticating is a 
uniqueMember in that group.

So, I'm basically doing two ldap lookups. Right now, I'm doing it in an 
rlm_perl module which has obvious disadvantages (ldap persistence).

a) is there a better way to structure my directory?
b) can I do multiple ldap lookups using rlm_ldap to achieve same end goal?

LDAP calls looks like this now

1) get the hosts group

         $mesg = $ldap->search(
                         base   => "ou=Hosts,dc=comcast,dc=com",
                         filter => "(&(ipHostNumber=$ipaddress))",
                         attrs => ["seeAlso"],
## returns group membership into $group

2) verify user in group
                 $mesg = $ldap->search (
                         base   => $group,
                         filter => 
                         attrs => ["uniqueMember"],

More information about the Freeradius-Users mailing list