Re: Question about Freeradius and LDAP
On Wed, 7 Jul 2004, Arthur EBEL wrote:
Hi everybody,
My freeradius operate very well with an openldap directory
All ldap users stored in my basedn=ou=people,ou=personnels,dc=utt,dc=fr
can be authenticated.
I would like to add another basedn=ou=students,ou=personnels,dc=utt,dc=fr
BUT I don't want to give an access to all my tree dc=utt,dc=fr
How can I set up the LDAP module to do this ?
Here is my radiusd.conf about ldap
ldap {
server = server.utt.fr
basedn = ou=people,ou=personnels,dc=utt,dc=fr
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_header = {crypt}
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
Thx
Use two ldap module instances.
Arthur EBEL
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about Freeradius and LDAP
Hi everybody,
My freeradius operate very well with an openldap directory
All ldap users stored in my basedn=ou=people,ou=personnels,dc=utt,dc=fr
can be authenticated.
I would like to add another basedn=ou=students,ou=personnels,dc=utt,dc=fr
BUT I don't want to give an access to all my tree dc=utt,dc=fr
How can I set up the LDAP module to do this ?
Here is my radiusd.conf about ldap
ldap {
server = server.utt.fr
basedn = ou=people,ou=personnels,dc=utt,dc=fr
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_header = {crypt}
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
Thx
Arthur EBEL
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Freeradius and LDAP
On Wed, Jul 07, 2004 at 09:00:00PM +0200, Arthur EBEL wrote: Hi everybody, My freeradius operate very well with an openldap directory All ldap users stored in my basedn=ou=people,ou=personnels,dc=utt,dc=fr can be authenticated. I would like to add another basedn=ou=students,ou=personnels,dc=utt,dc=fr BUT I don't want to give an access to all my tree dc=utt,dc=fr How can I set up the LDAP module to do this ? AFAIK, rlm_ldap cannot work with multiple basedn's. However, you can use OpenLDAP own ACLs. E.g. in slapd.conf (assuming you have identity=cn=radius,ou=robots,dc=utt,dc=fr): access to dn ou=people,ou=personnels,dc=utt,dc=fr ... by dn=cn=radius,ou=robots,dc=utt,dc=fr read access to dn ou=students,ou=personnels,dc=utt,dc=fr ... by dn=cn=radius,ou=robots,dc=utt,dc=fr read access to * by dn=cn=radius,ou=robots,dc=utt,dc=fr none (I'm not sure this is totally correct so you should test it yourself.) Then you can safely use basedn=ou=personnels,dc=utt,dc=fr for radius. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Freeradius and LDAP
how about setting up 2 ldap modules?
ldap people {
...
}
ldap students {
...
}
Not sure if this would do it, just a suggestion.
On Wed, 7 Jul 2004, Alexander M. Pravking wrote:
On Wed, Jul 07, 2004 at 09:00:00PM +0200, Arthur EBEL wrote:
Hi everybody,
My freeradius operate very well with an openldap directory
All ldap users stored in my basedn=ou=people,ou=personnels,dc=utt,dc=fr
can be authenticated.
I would like to add another basedn=ou=students,ou=personnels,dc=utt,dc=fr
BUT I don't want to give an access to all my tree dc=utt,dc=fr
How can I set up the LDAP module to do this ?
AFAIK, rlm_ldap cannot work with multiple basedn's.
However, you can use OpenLDAP own ACLs. E.g. in slapd.conf (assuming
you have identity=cn=radius,ou=robots,dc=utt,dc=fr):
access to dn ou=people,ou=personnels,dc=utt,dc=fr
...
by dn=cn=radius,ou=robots,dc=utt,dc=fr read
access to dn ou=students,ou=personnels,dc=utt,dc=fr
...
by dn=cn=radius,ou=robots,dc=utt,dc=fr read
access to *
by dn=cn=radius,ou=robots,dc=utt,dc=fr none
(I'm not sure this is totally correct so you should test it yourself.)
Then you can safely use basedn=ou=personnels,dc=utt,dc=fr for radius.
--
Fduch M. Pravking
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-Mike
==
Network Engineer
Pathway Internet Services
616.774.3131
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
