> Dear all, > > I've LDAP tree structure as below, to seperate ADSL & DIALUP. But > encounter one problem.. when userA = userB, LDAP will found userA's > account although userB that actually login. This maybe due to DEFAULT > sequence in users file. > > Any idea to solve this ? thanks.. > > > ou=AAA > | > | > ---------------------------------- > | | > ou=ADSL ou=DIALUP > > dn: uid=userA,ou=ADSL,ou=AAA ... dn: > uid=userB,ou=DIALUP,ou=AAA.... > serviceflag: ADSL serviceflag: DIALUP >
I'm curious as to why you've structured it that way? It seems to me that you would want one tree for users and then define what services the users have in their profile. That way a user can be both adsl and dial, without having to be present in both trees. Rather than creating a new tree for each service, it makes more sense to define your tree based on users. Then each service they have access to is merely an attribute of that user. Imagine what it will look like if you try to scale that and add 10 different services such as FTP, webhosting, portal logins, vpn, etc... the ldap_howto.txt doc explains how you can do this, but here is a summary. dn: uid=user1,ou=radius,dc=yourdomain uid: user1 objectclass: radiusprofile userpassword: pass radiusgroupname: dial radiusgroupname: adsl dn: uid=user2,ou=radius,dc=yourdomain uid: user2 objectclass: radiusprofile userpassword: pass radiusgroupname: dial radiusgroupname: vpn Then you need something to determine if this is coming from a dial nas, adsl nas, vpn nas, etc... Usually you can use nas-ip-address or nas-port-type or something along that lines. Say you had two dial NAS and one ADSL nas. in huntgroups. dial NAS-IP-Address == 10.0.0.1 dial NAS-IP-Address == 10.0.0.2 adsl NAS-IP-Address == 10.0.0.3 in users DEFAULT Huntgroup-Name == dial, Ldap-Group == dial DEFAULT Huntgroup-Name == adsl, Ldap-Group == adsl DEFAULT Auth-Type := Reject That config above would do the following: 1. If the access-request comes from your dial nas, check to see if the user has radiusgroupname: dial. If so, authorize. If not, reject. 2. If the access-request comes from your adsl nas, check to see if the user has radiusgroupname: adsl. If so, authorize. If not, reject. I think you'd be much happier with a format like that, especially if there is any chance that you might start adding new services. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html