On Wed, Jul 07, 2004 at 09:00:00PM +0200, Arthur EBEL wrote:
> Hi everybody,
>
> My freeradius operate very well with an openldap directory
>
> All ldap users stored in my basedn="ou=people,ou=personnels,dc=utt,dc=fr"
> can be authenticated.
>
> I would like to add another basedn="ou=students,ou=personnels,dc=utt,dc=fr"
> BUT I don't want to give an access to all my tree dc=utt,dc=fr
>
> How can I set up the LDAP module to do this ?
AFAIK, rlm_ldap cannot work with multiple basedn's.
However, you can use OpenLDAP own ACLs. E.g. in slapd.conf (assuming
you have identity="cn=radius,ou=robots,dc=utt,dc=fr"):
access to dn "ou=people,ou=personnels,dc=utt,dc=fr"
...
by dn="cn=radius,ou=robots,dc=utt,dc=fr" read
access to dn "ou=students,ou=personnels,dc=utt,dc=fr"
...
by dn="cn=radius,ou=robots,dc=utt,dc=fr" read
access to *
by dn="cn=radius,ou=robots,dc=utt,dc=fr" none
(I'm not sure this is totally correct so you should test it yourself.)
Then you can safely use basedn="ou=personnels,dc=utt,dc=fr" for radius.
--
Fduch M. Pravking
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
