Different BaseDN for User/Group Objects in rlm_ldap

Rudolph Bott r at bott.im
Wed Jan 9 09:29:48 CET 2013


Hi List,

we are currently using rlm_ldap to check against a LDAP backend, which 
works fine so far. rlm_ldap is configured to use a BaseDN of 
"ou=poeple,dc=example,dc=org". We have also specified a group membership 
filter and are trying to enforce group memberships via the combination 
of huntgroups-file and Ldap-Group-Settings in the users file.

According to debug output, this seems to work (since freeradius is 
trying to find the groups specified in the users file).

However, our groups are stored underneath "ou=groups,dc=example,dc=org" 
- so rlm_ldap is not able to find them with the basedn shown above. We 
are also not able to change the basedn to something else, since there is 
a different user-tree underneath dc=example,dc=org which should not be 
taken into account by freeradius.

Is there is possibility to set a different basedn for group lookups OR 
another feasable solution (e.g. modify the filter...?). Filter and 
groupmembership_filter are currently set to:

filter                          = 
"(uid=%{Stripped-User-Name:-%{mschap:User-Name}})"
groupname_attribute             = cn
groupmembership_filter          = 
"(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{mschap:User-Name}})"

Debug output states this:

rlm_ldap: performing search in ou=poeple,dc=example,dc=org, with filter 
(&(cn=GROUP-NAME-FROM-USERS-FILE)(objectClass=posixGroup)(memberUid=LOGIN-USER))

Thanks in advance for your help!

-- 
Mit freundlichen Grüßen / with kind regards
   Rudolph Bott


More information about the Freeradius-Users mailing list