freeradius & ldap with two trees

[Terry J Fike Jr]

Okay, i want radius to look at two trees in ldap, one tree for dial-up 
one tree for dsl (so a user with a static ip in dsl gets a dynamic ip in 
dial-up).

my huntgroup is like this:
dial    ip1
dial    ip2
dial    ip on local box for testing

dsl     ip3
dsl     ip4
dsl     ip on local box for testing

with the ip on local box commented out on the one i'm not testing.

my users file is like so (at least, the two lines i'm testing with):

DEFAULT Huntgroup-Name == dial, Ldap-Group == dial, User-Profile := 
"uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := 
`uid=%{User-Name},ou=people,dc=mtaonline,dc=net`
        Fall-Through = no

DEFAULT Huntgroup-Name == dsl, Ldap-Group == dsl8m, User-Profile := 
"uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := 
`uid=%{User-Name},ou=dsl,dc=mtaonline,dc=net`
        Fall-Through = no

DEFAULT Auth-Type := Reject
        Reply-Message = "Please call the help desk."

my ldap config in the radiusd.conf is as follows:

        ldap {
                server = "private ip"
                identity = "cn=Manager,dc=mtaonline,dc=net"
                password = somepassword
                basedn = "ou=people,dc=mtaonline,dc=net"
                #basedn = "dc=mtaonline,dc=net"

                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                base_filter = "(objectclass=radiusprofile)"
                start_tls = no
                tls_mode = no
#this maps ldap attributetypes to radius attributes
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_cache_timeout = 120
                ldap_cache_size = 0
                ldap_connections_number = 10
                #password_header = {clear}
                password_attribute = userPassword
                groupname_attribute = radiusGroupName
		groupmembership_filter = 
(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))
                groupmembership_attribute = radiusGroupName
                timeout = 3
                timelimit = 5
                net_timeout = 1
                compare_check_items = no

if i test with a user on the tree listed in basedn, it works.  if i try 
to test with a user in a different tree, it fails.  if i try a basedn 
one level up (so i can try to go down both trees) both users receive an 
Auth-Reject please call the help desk.  in radiusd -X the reason is 
because ldap is finding multiple entries for the user (in two plus trees).

i've gone through the documentation multiple times (and feel like i'm 
missing something).  what am i doing wrong? or is there no way to do 
what i'm trying to do?

i suppose it comes down to; is there a way to re-define the basedn in 
either huntgroups, or on a default line in the users file so the search 
comes up with a single user.

thanks for your help
t-

--
Terry J Fike Jr
System Administrator
MTA Solutions
907-793-4100
[EMAIL PROTECTED]
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html