LDAP auth problem with multiple OU

[jberanek]

If I want to authenticaye against my LDAP server that config works:

$ldap_base_dn = "ou=First,o=SPGS,c=UK";

but this one does NOT:

$ldap_base_dn = "ou=Third,ou=Second,o=SPGS,c=UK";

Also this does NOT work:

$ldap_base_dn = "o=SPGS,c=UK";

Seems like authentication works for a single OU ONLY, but does NOT search down in the tree

Strange?

sebus

Reported by: sebus

Original Ticket: "mrbs/support-requests/61":https://sourceforge.net/p/mrbs/support-requests/61

[jberanek]

Logged In: YES user_id=71843

Firstly, apologies for the delay in replying.

As far as I know MRBS just queries the LDAP server. If the LDAP server doesn't respond as you'd expect, the configuration isn't correct...

I'm not entirely sure what you're trying to do, this is compounded by my knowledge of LDAP terminology being a little restricted.

Perhaps you could try to explain further what you mean/want to do?

John.

Original comment by: jberanek

[jberanek]

Logged In: YES user_id=2047583 Originator: NO

Hi,

once again a question due to this problem: We have several OUs at our university, so it is very uncomfortable to configure MBRS for all our OUs (think, we have about 200 OUs with daily changes!!). So, if you think about secure aspects in addition, it would be better for LDAP Authentication, if it's possible to search down in all OUs for USER-Entries in LDAP with O=myCompany (only one entry in the config-file and not 200 for all our OUs).

This is what "sebus" also mentioned... Is there any planning due to this problem?

Michael

Original comment by: tscherner

[jberanek]

Logged In: YES user_id=71843 Originator: NO

tscherner:

MRBS always does subtree LDAP searches, so I don't know what your issue is. If you use a base DN that encompasses all your OUs, the LDAP authentication should work.

John.

Original comment by: jberanek

[jberanek]

Logged In: YES user_id=2047583 Originator: NO

Hi John,

thank you for your quick answer. It is good to hear that subtree searching basically works. But which is the right syntax for the config file?

For example: We have subtrees OU=RZSAN, OU=RZ, OU=BIO, OU=UB, OU=ZV et cetera (over 200 OUs). O=UNI-WUERZBURG ?

$ldap_base_dn = "ou=RZ,o=UNI-WUERZBURG"; does work for the single OU=RZ

but which syntax is needed for all OUs?

$ldap_base_dn = "o=UNI-WUERZBURG"; does not work!

I'm searching for something like $ldap_base_dn = "ou=*,o=UNI-WUERZBURG";

I hope you understand what i mean...

Yours Michael

Original comment by: tscherner

[jberanek]

Logged In: YES user_id=71843 Originator: NO

Hmm, I would certainly expected "o=UNI-WUERZBURG" to have worked. On our AD installation our base DN is "dc=pace,dc=internal", and have OUs scattered all over the place. With the base dn as set above, the LDAP search does find all users...

John.

Original comment by: jberanek