how about setting up 2 ldap modules?
ldap people { ... }
ldap students { ... }
Not sure if this would do it, just a suggestion.
On Wed, 7 Jul 2004, Alexander M. Pravking wrote:
On Wed, Jul 07, 2004 at 09:00:00PM +0200, Arthur EBEL wrote:Hi everybody,
My freeradius operate very well with an openldap directory
All ldap users stored in my basedn="ou=people,ou=personnels,dc=utt,dc=fr" can be authenticated.
I would like to add another basedn="ou=students,ou=personnels,dc=utt,dc=fr" BUT I don't want to give an access to all my tree dc=utt,dc=fr
How can I set up the LDAP module to do this ?
AFAIK, rlm_ldap cannot work with multiple basedn's.
However, you can use OpenLDAP own ACLs. E.g. in slapd.conf (assuming you have identity="cn=radius,ou=robots,dc=utt,dc=fr"):
access to dn "ou=people,ou=personnels,dc=utt,dc=fr" ... by dn="cn=radius,ou=robots,dc=utt,dc=fr" read access to dn "ou=students,ou=personnels,dc=utt,dc=fr" ... by dn="cn=radius,ou=robots,dc=utt,dc=fr" read access to * by dn="cn=radius,ou=robots,dc=utt,dc=fr" none
(I'm not sure this is totally correct so you should test it yourself.) Then you can safely use basedn="ou=personnels,dc=utt,dc=fr" for radius.
-- Fduch M. Pravking
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-Mike
================================== Network Engineer Pathway Internet Services 616.774.3131
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html