Hi Chris! You are confusing the DN with attributes. The DN is the unique name of the entry, and in this case is:
cn=testHost,ou=hosts,dc=company,dc=net. No matter what attributes you have in the entry, the DN will not change. Just like your name is "Chris Berger", even if you change your socks and wear a different shirt for the day. Your name is still "Chris Berger". The same with the DN of an entry. To put another way: You said "The important thing is the multiple cn." In fact, that sentence should be "The irrelevant thing is the multiple cn." So, change: pam_groupdn cn=10.0.0.252,ou=hosts,dc=company,dc=net To: pam_groupdn cn=testHost,ou=hosts,dc=company,dc=net That should resolve the issue for you. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Chris Berger Sent: Thursday, August 06, 2009 7:58 AM To: [email protected] Subject: [ldap] Re: multiple cn Hi, I have a question regarding LDAP structure and multiple cn of entries. My context : the directory is used by pam_ldap and freeradius for authentication on computers and network components. The LDAP directory contains entries like the example below. The important thing is the multiple cn : dn: cn=testHost,ou=hosts,dc=company,dc=net cn: testHost cn: 10.0.0.252 uniqueMember: uid=MyUser,uid=test01,ou=users,dc=company,dc=net objectClass: top objectClass: groupOfUniqueNames objectClass: extensibleObject associatedDomain: exploitation but pam_ldap is configured to search a member in a directory entry with the following request on the host 10.0.0.252 : pam_member_attribute uniqueMember pam_groupdn cn=10.0.0.252,ou=hosts,dc=company,dc=net And it doesn't work. Apparently it searches the cn in the dn and does not find on the criteria of the secondary cn. Is it a normal way of working ? I though a cn inside an entry would work either with requests like : cn=testHost,ou=hosts,dc=company,dc=net or cn=10.0.0.252,ou=hosts,dc=company,dc=net Is it a solution to make it work like that ? Maybe in adding an alias from one to the other dn, but it's extra processing/constraints on the directory. In this case, I think I need alias dereferencing ? Thanks for your help Chris
