No group membership attribute(s) found in user object

Alan DeKok aland at deployingradius.com
Thu Mar 14 22:11:08 CET 2019


On Mar 14, 2019, at 5:00 PM, Boudjoudad Abdelkader <boujoudad at gmail.com> wrote:
> I'm trying to update the post-auth using the condition in default file as
> below:
> if (&LDAP-Group == "groupname") {

  That's for LDAP groups.

> Or
> if (&Group-Name== "groupname") {

  That's for Unix groups.  i.e. from /etc/group

> And in ldap file:
> ldap {
> ...
> base_dn = 'cn=users,cn=accounts,dc=example,dc=com'
> ...
> }
> ...
> group {
> base_dn = "${..base_dn}"
> filter = '(objectClass=posixGroup)'

  Active Directory doesn't do Posix groups.  You need to use "group".

> name_attribute = cn
> membership_filter =
> "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
> membership_attribute = memberOf
> cacheable_name = 'yes'
> cacheable_dn = 'yes'
> # cache_attribute = 'LDAP-Cached-Membership'
> 
> But i'm getting:
> No group membership attribute(s) found in user object
> 
> What i'm missing ?

  There's no group member attribute in the user object.

  The recent versions of the server have instructions on configuring LDAP with Active Directory:

https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/ldap

  Alan DeKok.




More information about the Freeradius-Users mailing list