Different BaseDN for User/Group Objects in rlm_ldap

Tobias Hachmer lists at kokelnet.de
Wed Jan 9 11:41:28 CET 2013

On Wednesday 09 January 2013 10:48:16 Rudolph Bott wrote:
> Am 2013-01-09 10:27, schrieb Tobias Hachmer:
> > On Wednesday 09 January 2013 09:29:48 Rudolph Bott wrote:
> >> Is there is possibility to set a different basedn for group lookups
> >> OR
> >> another feasable solution (e.g. modify the filter...?). Filter and
> > 
> >> groupmembership_filter are currently set to:
> > Create a new ldap module called e.g. ldap2 (just copy the existing
> > ldap module
> > and rename it to ldap2, also rename it in the module itself,
> > otherwise FR
> > tries to instantiate the ldap module twice), adjust there the new
> > basedn and
> > call it where you want in authorize section.
> I am not sure if that would work in this case (but maybe I just got the
> concept of the LDAP module wrong):
> * NAS XY connects to FR with an Access-Request
> * the huntgroup/users file tells FR to require the membership of an
> LDAP-Group named 'blah'
> * the LDAP module which does the authentication automatically checks if
> the current user (which it uses to bind to LDAP) is a member of that
> group
> How would I exactly fit in another copy of the LDAP module in this
> scenario? Wouldn't that mean that the second instance of that module
> would also have to bind to LDAP using the same settings? And how would I
> tell the second instance to check for the group required by the users
> file instead of the first module?

You have to configure the second ldap module in the same way as the first.
If you just want another basedn and querying against the same ldap directory, 
adjust only the basdn in second ldap module.

Copy /etc/raddb|freeradius/modules/ldap to /etc/raddb|freeradius/modules/ldap2

Be sure that the second ldap module looks like
ldap ldap2 {

The easiest way is to just call it as next as the first ldap module in 
authorize and authenticate section, fit it to your scenario.

If you doing so the ldap search will be done first with ldap module1 and after 
that with ldap module 2. I guess this is not really what you want.

Maybe you can check with unlang on user/group specific things, NAS IP, or 
huntgroups, I don't know, to call the appropriate correct ldap module.

Tobias Hachmer

More information about the Freeradius-Users mailing list