Different BaseDN for User/Group Objects in rlm_ldap

[Rudolph Bott]

Am 2013-01-09 10:27, schrieb Tobias Hachmer:
> On Wednesday 09 January 2013 09:29:48 Rudolph Bott wrote:
>> Is there is possibility to set a different basedn for group lookups 
>> OR
>> another feasable solution (e.g. modify the filter...?). Filter and
>> groupmembership_filter are currently set to:
>
> Create a new ldap module called e.g. ldap2 (just copy the existing 
> ldap module
> and rename it to ldap2, also rename it in the module itself, 
> otherwise FR
> tries to instantiate the ldap module twice), adjust there the new 
> basedn and
> call it where you want in authorize section.

I am not sure if that would work in this case (but maybe I just got the 
concept of the LDAP module wrong):

* NAS XY connects to FR with an Access-Request
* the huntgroup/users file tells FR to require the membership of an 
LDAP-Group named 'blah'
* the LDAP module which does the authentication automatically checks if 
the current user (which it uses to bind to LDAP) is a member of that 
group

How would I exactly fit in another copy of the LDAP module in this 
scenario? Wouldn't that mean that the second instance of that module 
would also have to bind to LDAP using the same settings? And how would I 
tell the second instance to check for the group required by the users 
file instead of the first module?

For completeness, this is a sample line from the huntgroups file:

HQ              NAS-IP-Address == 1.2.3.4

And this the corresponding users file:

DEFAULT Huntgroup-Name == HQ, Ldap-Group == SpecialUserGroup
         Reply-Message = "\n###### Access granted by SpecialUserGroup 
########\n",
         Fall-Through = no

If there is a request from the NAS specified by that IP adress, the 
LDAP module will automatically check if the user is in the group 
SpecialUserGroup.

>
> Regards,
> Tobias Hachmer
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

-- 
Mit freundlichen Grüßen / with kind regards
   Rudolph Bott