Different BaseDN for User/Group Objects in rlm_ldap
Phil Mayers
p.mayers at imperial.ac.uk
Wed Jan 9 12:38:15 CET 2013
On 01/09/2013 08:29 AM, Rudolph Bott wrote:
>
> However, our groups are stored underneath "ou=groups,dc=example,dc=org"
> - so rlm_ldap is not able to find them with the basedn shown above. We
Unsolicited advice: that's not a great schema, and you should look to
move away from it.
> are also not able to change the basedn to something else, since there is
> a different user-tree underneath dc=example,dc=org which should not be
> taken into account by freeradius.
>
Define a 2nd copy of the LDAP module with the base DN of the group area.
Run the 1st LDAP module before doing any group checks so that
"Ldap-UserDN" is populated.
Check the per-instance Ldap-Group attribute of the 2nd instance.
Like so:
ldap {
# base DN for users
}
ldap ldap2 {
# base DN for groups
}
...
authorize {
...
ldap
if (ldap2-Ldap-Group == FOO) {
# will search 2nd base DN using user DN of 1st module
}
...
}
Alternatively, if your users are all in a flat hierarchy, you can
hard-code Ldap-UserDN and skip calling the 1st module (unless you need
data from there, of course)
More information about the Freeradius-Users
mailing list