Different BaseDN for User/Group Objects in rlm_ldap
Rudolph Bott
r at bott.im
Wed Jan 9 19:11:59 CET 2013
Hi Phil,
we fixed the problem by using the radiusGroupName attribute in the
user's object instead of posixGroup-Objects.
Thanks for your help anyone!
Am 2013-01-09 12:38, schrieb Phil Mayers:
> On 01/09/2013 08:29 AM, Rudolph Bott wrote:
>
>>
>> However, our groups are stored underneath
>> "ou=groups,dc=example,dc=org"
>> - so rlm_ldap is not able to find them with the basedn shown above.
>> We
>
> Unsolicited advice: that's not a great schema, and you should look to
> move away from it.
>
>> are also not able to change the basedn to something else, since
>> there is
>> a different user-tree underneath dc=example,dc=org which should not
>> be
>> taken into account by freeradius.
>>
>
> Define a 2nd copy of the LDAP module with the base DN of the group
> area.
>
> Run the 1st LDAP module before doing any group checks so that
> "Ldap-UserDN" is populated.
>
> Check the per-instance Ldap-Group attribute of the 2nd instance.
>
> Like so:
>
> ldap {
> # base DN for users
> }
> ldap ldap2 {
> # base DN for groups
> }
>
> ...
>
> authorize {
> ...
> ldap
> if (ldap2-Ldap-Group == FOO) {
> # will search 2nd base DN using user DN of 1st module
> }
> ...
> }
>
> Alternatively, if your users are all in a flat hierarchy, you can
> hard-code Ldap-UserDN and skip calling the 1st module (unless you
> need
> data from there, of course)
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Mit freundlichen Grüßen / with kind regards
Rudolph Bott
More information about the Freeradius-Users
mailing list