Problem with LDAP group searches

[Dustin Doris]

> >> rlm_ldap: Entering ldap_groupcmp() radius_xlat:  'ou=mem
> >> users,dc=mem-ins,dc=com' radius_xlat:
> >> '(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM
> >> Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM
> >> Users,DC=mem-ins,DC=com)))' rlm_ldap: ldap_get_conn: Checking Id: 0
> >> rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mem
> >> users,dc=mem-ins,dc=com, with filter
> >> (&(cn=MEMVPNFlex)(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM
> >> Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM
> >> Users,DC=mem-ins,DC=com)))) rlm_ldap: object not found or got ambiguous
> >> search result rlm_ldap: ldap_release_conn: Release Id: 0
> >> rlm_ldap::ldap_groupcmp: Group MEMVPNFlex not found or user is not a
> >> member.
> >>     users: Matched DEFAULT at 166
> >
> >The user was not found in that group, based on the lookup above.
>
> The user is a member of the MEMVPNFlex group in AD
>

Above is what your ldapsearch looks like and it didn't find the user in
that group.  You need to modify the group search syntax to the point where
it will find your user in the group.  Or if the user you are binding with
doesn't have read access on the groups, you need to assign it to that
user.

For example, if you were using ldapsearch from the command line, how would
you search for group members?  Does running that search above from the
command line, binding with the same user, find the user in the group?

I don't have access to an AD directory right now to get a view into their
ldap implementation and see what groups look like.  But you should view
the AD directory with some kind of ldap viewer and take a look at the
groups.  Perhaps the objectclass is wrong and AD doesn't use GroupOfNames?