Different BaseDN for User/Group Objects in rlm_ldap
Rudolph Bott
r at bott.im
Wed Jan 9 09:29:48 CET 2013
Hi List,
we are currently using rlm_ldap to check against a LDAP backend, which
works fine so far. rlm_ldap is configured to use a BaseDN of
"ou=poeple,dc=example,dc=org". We have also specified a group membership
filter and are trying to enforce group memberships via the combination
of huntgroups-file and Ldap-Group-Settings in the users file.
According to debug output, this seems to work (since freeradius is
trying to find the groups specified in the users file).
However, our groups are stored underneath "ou=groups,dc=example,dc=org"
- so rlm_ldap is not able to find them with the basedn shown above. We
are also not able to change the basedn to something else, since there is
a different user-tree underneath dc=example,dc=org which should not be
taken into account by freeradius.
Is there is possibility to set a different basedn for group lookups OR
another feasable solution (e.g. modify the filter...?). Filter and
groupmembership_filter are currently set to:
filter =
"(uid=%{Stripped-User-Name:-%{mschap:User-Name}})"
groupname_attribute = cn
groupmembership_filter =
"(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{mschap:User-Name}})"
Debug output states this:
rlm_ldap: performing search in ou=poeple,dc=example,dc=org, with filter
(&(cn=GROUP-NAME-FROM-USERS-FILE)(objectClass=posixGroup)(memberUid=LOGIN-USER))
Thanks in advance for your help!
--
Mit freundlichen Grüßen / with kind regards
Rudolph Bott
More information about the Freeradius-Users
mailing list