I've configured my server to successfully authenticate against AD using my ldap module.
However, my users are in multiple OUs, and I can only specify one basedn at a time. I know that's probably not good directory structure, but I don't manage our directory. What approach to others use to search multiple basedns? In case it would help, here is the relevant portions from my ldap module, which is curently working (I've remved most comments to make it concise: ldap { server = xxx identity = "cn=ldapuser,ou=service accounts,dc=cphc,dc=local" password = xxx basedn = "dc=cphc,dc=local" ***This doesn't work without a specific OU. My users are in multiple OUs**** #basedn = "OU=CHA-Staff (No Folder Redir),DC=cphc,DC=local" filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = "(member=%{check:Ldap-UserDn})" groupmembership_attribute = member #compare_check_items = yes #do_xlat = yes access_attr_used_for_allow = yes } *One thing that confuses me is that ldapsearch works fine using basedn="dc=cphc,dc=local". Any my error output: [ldap] performing user authorization for jpjohnson [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=jpjohnson) [ldap] expand: dc=cphc,dc=local -> dc=cphc,dc=local rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to tch-nt2.cphc.local:389, authentication 0 rlm_ldap: bind as cn=ldapuser,ou=service accounts,dc=cphc,dc=local/xxx to tch-nt2.cphc.local:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=cphc,dc=local, with filter (sAMAccountName=jpjohnson) rlm_ldap: ldap_search() failed: Operations error [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fail -Jeff
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html