Different BaseDN for User/Group Objects in rlm_ldap
r at bott.im
Wed Jan 9 09:56:16 CET 2013
thanks for the fast reply.
Am 2013-01-09 09:43, schrieb Michael Schwartzkopff:
> Am Mittwoch, 9. Januar 2013, 09:29:48 schrieb Rudolph Bott:
>> Hi List,
>> we are currently using rlm_ldap to check against a LDAP backend,
>> works fine so far. rlm_ldap is configured to use a BaseDN of
>> "ou=poeple,dc=example,dc=org". We have also specified a group
>> filter and are trying to enforce group memberships via the
>> of huntgroups-file and Ldap-Group-Settings in the users file.
>> According to debug output, this seems to work (since freeradius is
>> trying to find the groups specified in the users file).
>> However, our groups are stored underneath
>> - so rlm_ldap is not able to find them with the basedn shown above.
>> are also not able to change the basedn to something else, since
>> there is
>> a different user-tree underneath dc=example,dc=org which should not
>> taken into account by freeradius.
>> Is there is possibility to set a different basedn for group lookups
>> another feasable solution (e.g. modify the filter...?). Filter and
>> groupmembership_filter are currently set to:
>> filter =
>> groupname_attribute = cn
>> groupmembership_filter =
>> Debug output states this:
>> rlm_ldap: performing search in ou=poeple,dc=example,dc=org, with
> Change the baseDN in the ldap module configuration of FR to
As I said, that is not an option since there is another users tree
underneath dc=example,dc=org (e.g. "ou=people2,dc=example,dc=org") which
should not be considered/read by freeradius.
The LDAP-structure is similar to this:
> List info/subscribe/unsubscribe? See
Mit freundlichen Grüßen / with kind regards
More information about the Freeradius-Users