I would like to ldap bind with username instead of DN
Wessel Louwris
wessel at stutit.nl
Fri Jun 19 14:11:59 CEST 2020
Hi,
I would like to bind with the given username and skip the ldapsearch, so I implemented
DEFAULT Ldap-UserDN := "%{User-Name}”
in my authorize file (as described on https://wiki.freeradius.org/modules/Rlm_ldap <https://wiki.freeradius.org/modules/Rlm_ldap>).
Unfortunately this seems to be not enough because it’s still binding with the DN:
(6) ldap: Login attempt by "user at company.nl "
(6) ldap: Using user DN from request "uid= user,ou=Users,dc=example,dc=com” # this is a wrong DN returned by ldapsearch
(6) ldap: Waiting for bind result...
(6) ldap: ERROR: Bind credentials incorrect: Invalid credentials
The reason I want to bind with the given username instead of the DN is that we use Google Secure LDAP with multiple domains.
The LDAP search returns the wrong DN for users with another domain then our main domain.
For users in my main domain everything works fine.
For example an ldapsearch for user at company.nl <mailto:user at company.nl> on the Google LDAP returns:
dn: uid=user,ou=Users,dc=example,dc=com
which results in a failed LDAP bind.
where it should return
dn: uid=user,dc=company,dc=nl
which would succeed.
I noticed that I can also do a succesful LDAP bind with username: ldapsearch -W -H googleldapserver -D user at company.nl -s sub -b “dc=example,dc=com”
So binding on username would be a solution for me.
Does anybody now how I can force binding the DEFAULT Ldap-UserDN := "%{User-Name}” and skip the ldapsearch?
Thanks for any help.
Kind regards,
Wessel
More information about the Freeradius-Users
mailing list