Multiple BaseDN's - How Do I Do This?

Phil Mayers p.mayers at imperial.ac.uk
Fri May 9 14:51:37 CEST 2008 

Rob VanDusen wrote:
> Yes Phil, that is the unfortunate configuration I have inherited with
> the job. This is a school district, they really want to keep each
> school building as it's own top-level O. I work in the ESB building,

Ok.

> so that was the baseDN I used for testing. I'd rather not have to run
> 6 different radius boxes, but I can't seem to figure out how to make
> the multiple ldap modules work. I found a few how-to's on the web,
> but they are for the 1.x version and they don't seem to work with the
> 2.x version.

Multiple LDAP modules should work; as per the FAQ entry I linked to, 
"it's not working" is not very specific. Could you show us what you 
tried and the output from "radiusd -X" when it fails.

You would want something like this:

modules {
   ldap ldap_esb {
     basedn = "o=esb"
   }
   ldap ldap_sps {
    ..
   }
   ...etc
}
instantiate {
   redundant all_ldap {
     ldap_esb
     ldap_sps
     ...etc
   }
}
server {
   authorize {
     preprocess
     all_ldap
   }
   authenticate {
     # stuff here depends on auth method
   }
}

How are you *authenticating* the users once they're found in LDAP - do 
the LDAP servers return plaintext password / password hashes to 
FreeRadius and FreeRadius does the authentication, or does Freeradius 
need to do an LDAP "simple bind" against the LDAP server (which will 
only work for PAP requests)

If the former (LDAP servers give password/hashed to FR) then each ldap 
module should say:

modules {
   ldap ldap_xxx {
     set_auth_type = no
   }
}

...and you should have something like:

server {
   authorize {
     preprocess
     all_ldap
     chap
     mschap
     pap
   }
   authenticate {
     Auth-Type PAP
       pap
     }
     Auth-Type CHAP
       chap
     }
     Auth-Type MS-CHAP
       mschap
     }
   }
}

It the latter i.e. LDAP simple bind, you will need:

modules {
   ldap ldap_xxx {
     set_auth_type = yes
   }
}

...and you should have something like:

server {
   authorize {
     preprocess
     all_ldap
   }
   authenticate {
     Auth-Type ldap_esb {
       ldap_esb
     }
     Auth-Type ldap_xxx {
       ldap_xxx
     }
     ...etc
   }
}

Obviously the configs above are "sample"; for this setup (which is not 
so common) you may need to play a bit. In particular, the above configs 
omit several of the standard modules e.g. eap, files, etc. Don't use 
them "as-is".

The standard advice applies:

  1. start with the default config
  2. make small changes
  3. test after each change
  4. store each working config in a version control repo (e.g. svn) so 
if you break it you can compare and go back

Finally, I am making the assumption the usernames are unique across the 
entire LDAP tree i.e. there are no duplicates:

cn=jdoe,o=esb
cn=jdoe,o=sps

...if there are, it's going to be very tricky

More information about the Freeradius-Users mailing list