Re: Question about Freeradius and LDAP
On Wed, 7 Jul 2004, Arthur EBEL wrote: Hi everybody, My freeradius operate very well with an openldap directory All ldap users stored in my basedn=ou=people,ou=personnels,dc=utt,dc=fr can be authenticated. I would like to add another basedn=ou=students,ou=personnels,dc=utt,dc=fr BUT I don't want to give an access to all my tree dc=utt,dc=fr How can I set up the LDAP module to do this ? Here is my radiusd.conf about ldap ldap { server = server.utt.fr basedn = ou=people,ou=personnels,dc=utt,dc=fr filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_header = {crypt} password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 } Thx Use two ldap module instances. Arthur EBEL - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about Freeradius and LDAP
Hi everybody, My freeradius operate very well with an openldap directory All ldap users stored in my basedn=ou=people,ou=personnels,dc=utt,dc=fr can be authenticated. I would like to add another basedn=ou=students,ou=personnels,dc=utt,dc=fr BUT I don't want to give an access to all my tree dc=utt,dc=fr How can I set up the LDAP module to do this ? Here is my radiusd.conf about ldap ldap { server = server.utt.fr basedn = ou=people,ou=personnels,dc=utt,dc=fr filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_header = {crypt} password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 } Thx Arthur EBEL - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Freeradius and LDAP
On Wed, Jul 07, 2004 at 09:00:00PM +0200, Arthur EBEL wrote: Hi everybody, My freeradius operate very well with an openldap directory All ldap users stored in my basedn=ou=people,ou=personnels,dc=utt,dc=fr can be authenticated. I would like to add another basedn=ou=students,ou=personnels,dc=utt,dc=fr BUT I don't want to give an access to all my tree dc=utt,dc=fr How can I set up the LDAP module to do this ? AFAIK, rlm_ldap cannot work with multiple basedn's. However, you can use OpenLDAP own ACLs. E.g. in slapd.conf (assuming you have identity=cn=radius,ou=robots,dc=utt,dc=fr): access to dn ou=people,ou=personnels,dc=utt,dc=fr ... by dn=cn=radius,ou=robots,dc=utt,dc=fr read access to dn ou=students,ou=personnels,dc=utt,dc=fr ... by dn=cn=radius,ou=robots,dc=utt,dc=fr read access to * by dn=cn=radius,ou=robots,dc=utt,dc=fr none (I'm not sure this is totally correct so you should test it yourself.) Then you can safely use basedn=ou=personnels,dc=utt,dc=fr for radius. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Freeradius and LDAP
how about setting up 2 ldap modules? ldap people { ... } ldap students { ... } Not sure if this would do it, just a suggestion. On Wed, 7 Jul 2004, Alexander M. Pravking wrote: On Wed, Jul 07, 2004 at 09:00:00PM +0200, Arthur EBEL wrote: Hi everybody, My freeradius operate very well with an openldap directory All ldap users stored in my basedn=ou=people,ou=personnels,dc=utt,dc=fr can be authenticated. I would like to add another basedn=ou=students,ou=personnels,dc=utt,dc=fr BUT I don't want to give an access to all my tree dc=utt,dc=fr How can I set up the LDAP module to do this ? AFAIK, rlm_ldap cannot work with multiple basedn's. However, you can use OpenLDAP own ACLs. E.g. in slapd.conf (assuming you have identity=cn=radius,ou=robots,dc=utt,dc=fr): access to dn ou=people,ou=personnels,dc=utt,dc=fr ... by dn=cn=radius,ou=robots,dc=utt,dc=fr read access to dn ou=students,ou=personnels,dc=utt,dc=fr ... by dn=cn=radius,ou=robots,dc=utt,dc=fr read access to * by dn=cn=radius,ou=robots,dc=utt,dc=fr none (I'm not sure this is totally correct so you should test it yourself.) Then you can safely use basedn=ou=personnels,dc=utt,dc=fr for radius. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -Mike == Network Engineer Pathway Internet Services 616.774.3131 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html