Different BaseDN for User/Group Objects in rlm_ldap

Rudolph Bott r at bott.im
Wed Jan 9 09:56:16 CET 2013 

Hi,

thanks for the fast reply.

Am 2013-01-09 09:43, schrieb Michael Schwartzkopff:
> Am Mittwoch, 9. Januar 2013, 09:29:48 schrieb Rudolph Bott:
>> Hi List,
>>
>> we are currently using rlm_ldap to check against a LDAP backend, 
>> which
>> works fine so far. rlm_ldap is configured to use a BaseDN of
>> "ou=poeple,dc=example,dc=org". We have also specified a group 
>> membership
>> filter and are trying to enforce group memberships via the 
>> combination
>> of huntgroups-file and Ldap-Group-Settings in the users file.
>>
>> According to debug output, this seems to work (since freeradius is
>> trying to find the groups specified in the users file).
>>
>> However, our groups are stored underneath 
>> "ou=groups,dc=example,dc=org"
>> - so rlm_ldap is not able to find them with the basedn shown above. 
>> We
>> are also not able to change the basedn to something else, since 
>> there is
>> a different user-tree underneath dc=example,dc=org which should not 
>> be
>> taken into account by freeradius.
>>
>> Is there is possibility to set a different basedn for group lookups 
>> OR
>> another feasable solution (e.g. modify the filter...?). Filter and
>> groupmembership_filter are currently set to:
>>
>> filter                          =
>> "(uid=%{Stripped-User-Name:-%{mschap:User-Name}})"
>> groupname_attribute             = cn
>> groupmembership_filter          =
>> 
>> "(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{mschap:User-Name
>> }})"
>>
>> Debug output states this:
>>
>> rlm_ldap: performing search in ou=poeple,dc=example,dc=org, with 
>> filter
>> 
>> (&(cn=GROUP-NAME-FROM-USERS-FILE)(objectClass=posixGroup)(memberUid=LOGIN-US
>> ER))
>
> Change the baseDN in the ldap module configuration of FR to
> "dc=example,dc=org".

As I said, that is not an option since there is another users tree 
underneath dc=example,dc=org (e.g. "ou=people2,dc=example,dc=org") which 
should not be considered/read by freeradius.

The LDAP-structure is similar to this:

org
\- example
    |- people
    |- people2
    \- groups

>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html



-- 
Mit freundlichen Grüßen / with kind regards
   Rudolph Bott

More information about the Freeradius-Users mailing list