Different BaseDN for User/Group Objects in rlm_ldap

Rudolph Bott r at bott.im
Wed Jan 9 19:11:59 CET 2013


Hi Phil,

we fixed the problem by using the radiusGroupName attribute in the 
user's object instead of posixGroup-Objects.

Thanks for your help anyone!

Am 2013-01-09 12:38, schrieb Phil Mayers:
> On 01/09/2013 08:29 AM, Rudolph Bott wrote:
>
>>
>> However, our groups are stored underneath 
>> "ou=groups,dc=example,dc=org"
>> - so rlm_ldap is not able to find them with the basedn shown above. 
>> We
>
> Unsolicited advice: that's not a great schema, and you should look to
> move away from it.
>
>> are also not able to change the basedn to something else, since 
>> there is
>> a different user-tree underneath dc=example,dc=org which should not 
>> be
>> taken into account by freeradius.
>>
>
> Define a 2nd copy of the LDAP module with the base DN of the group 
> area.
>
> Run the 1st LDAP module before doing any group checks so that
> "Ldap-UserDN" is populated.
>
> Check the per-instance Ldap-Group attribute of the 2nd instance.
>
> Like so:
>
> ldap {
>   # base DN for users
> }
> ldap ldap2 {
>   # base DN for groups
> }
>
> ...
>
> authorize {
>   ...
>   ldap
>   if (ldap2-Ldap-Group == FOO) {
>     # will search 2nd base DN using user DN of 1st module
>   }
>   ...
> }
>
> Alternatively, if your users are all in a flat hierarchy, you can
> hard-code Ldap-UserDN and skip calling the 1st module (unless you 
> need
> data from there, of course)
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

-- 
Mit freundlichen Grüßen / with kind regards
   Rudolph Bott


More information about the Freeradius-Users mailing list