Re: Different BaseDN for User/Group Objects in rlm_ldap

Wed, 09 Jan 2013 01:00:53 -0800 

Hi,

thanks for the fast reply.

Am 2013-01-09 09:43, schrieb Michael Schwartzkopff:

Am Mittwoch, 9. Januar 2013, 09:29:48 schrieb Rudolph Bott:

Hi List,
we are currently using rlm_ldap to check against a LDAP backend, which 
works fine so far. rlm_ldap is configured to use a BaseDN of
"ou=poeple,dc=example,dc=org". We have also specified a group membership filter and are trying to enforce group memberships via the combination 
of huntgroups-file and Ldap-Group-Settings in the users file.

According to debug output, this seems to work (since freeradius is
trying to find the groups specified in the users file).
However, our groups are stored underneath "ou=groups,dc=example,dc=org" - so rlm_ldap is not able to find them with the basedn shown above. We are also not able to change the basedn to something else, since there is a different user-tree underneath dc=example,dc=org which should not be 
taken into account by freeradius.
Is there is possibility to set a different basedn for group lookups OR 
another feasable solution (e.g. modify the filter...?). Filter and
groupmembership_filter are currently set to:

filter                          =
"(uid=%{Stripped-User-Name:-%{mschap:User-Name}})"
groupname_attribute             = cn
groupmembership_filter          =

"(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{mschap:User-Name
}})"

Debug output states this:
rlm_ldap: performing search in ou=poeple,dc=example,dc=org, with filter 

(&(cn=GROUP-NAME-FROM-USERS-FILE)(objectClass=posixGroup)(memberUid=LOGIN-US
ER))


Change the baseDN in the ldap module configuration of FR to
"dc=example,dc=org".
As I said, that is not an option since there is another users tree underneath dc=example,dc=org (e.g. "ou=people2,dc=example,dc=org") which should not be considered/read by freeradius. 

The LDAP-structure is similar to this:

org
\- example
   |- people
   |- people2
   \- groups



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 



--
Mit freundlichen Grüßen / with kind regards
  Rudolph Bott
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to