Good afternoon Everyone, @Alan DeKok<mailto:aland@deployingradius.com>, thank you for pointing me to the right direction. I cannot get the attributes to be: 1. filtered to the bare necessity - I don't need them all present in the reply and there are 39 of them. I just need a memberOf from the AD. 2. Having the memberOf attribute recognised - system comes back with: "ERROR: String passed does not look like an LDAP URL" Any help will be appreciated! Cheers Here is the configuration: mteplov@scorpio:~/temp$ cat ldap ldap { server = 'ms-ad.csec.ms.nomios.nl' identity = 'CN=Radius Proxy NomiosLabs,OU=Servce Accounts,DC=ms-ad,DC=csec,DC=ms,DC=nomios,DC=nl' password = 'SECRET' base_dn = 'DC=ms-ad,DC=csec,DC=ms,DC=nomios,DC=nl' user { base_dn = "${..base_dn}" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" scope = 'sub' uid_attribute = "sAMAccountName" attribute { LDAP-Group := memberOf } } # attributes { # memberof = "session-state:LDAP-Group" # } #user_dn = "${.:instance}-LDAP-UserDn" # group { # base_dn = "${..base_dn}" # filter = '(objectClass=group)' # name_attribute = cn # # use magic AD search to get all groups # membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:${..user_dn}})" # # enable cache module # cacheable_dn = 'yes' # cache_attribute = "${..:instance}-LDAP-Group" # } options { chase_referrals = no rebind = yes ldap_debug = 2147483647 timeout = 10 timelimit = 3 net_timeout = 1 idle = 60 } tls { start_tls = no } } mteplov@scorpio:~/temp$ cat default server default { listen { type = auth ipaddr = * port = 1825 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } pre-proxy { } post-proxy { attr_filter.post-proxy if (1) { update reply { Reply-Message += " Session-State LDAP-Group: %{session-state:LDAP-Group}" } } } authorize { preprocess auth_log chap # suffix if (&request:User-Name) { update session-state { Persisted-User-Name := "%{request:User-Name}" } } update control { Proxy-To-Realm := "radius_server" } ldap if (1) { update reply { Reply-Message := "DN: %{ldap:dn}" Reply-Message += ", memberOf: %{ldap:memberOf[*]}" Reply-Message += ", mail: %{ldap:mail}" Reply-Message += ", sAMAccountName: %{ldap:sAMAccountName}" } } } authenticate { } post-auth { # Debugging: Let's see what's in the ldap namespace if (1) { update reply { Reply-Message += " Session-State LDAP-Group: %{session-state:LDAP-Group}" } } update session-state { LDAP-Group := "%{ldap:memberOf}" } if (&session-state:LDAP-Group[*]) { update reply { Reply-Message := "Groups: %{session-state:LDAP-Group[*]}" } } else { update reply { Reply-Message := "No LDAP groups found" } } if (&session-state:LDAP-Group[*] == "CN=Radius_Admin_Group,OU=NomiosLabs,OU=Roles,OU=Nomios Services,OU=Nomios,DC=ms-ad,DC=csec,DC=ms,DC=nomios,DC=nl") { update reply { Fortinet-Group-Name := "admin_group" Juniper-Local-User-Name := "admin_role" Reply-Message := "Authorized as Admin" } } elsif (&session-state:LDAP-Group[*] == "CN=Radius_ReadOnly_Group,OU=NomiosLabs,OU=Roles,OU=Nomios Services,OU=Nomios,DC=ms-ad,DC=csec,DC=ms,DC=nomios,DC=nl") { update reply { Fortinet-Group-Name := "read_only_group" Juniper-Local-User-Name := "read_only_role" Reply-Message := "Authorized as Read-Only" } } elsif (&session-state:LDAP-Group[*] == "CN=Radius_ReadWrite_Group,OU=NomiosLabs,OU=Roles,OU=Nomios Services,OU=Nomios,DC=ms-ad,DC=csec,DC=ms,DC=nomios,DC=nl") { update reply { Fortinet-Group-Name := "read_write_group" Juniper-Local-User-Name := "read_write_role" Reply-Message := "Authorized as Read-Write" } } else { update control { Auth-Type := Reject } update reply { Persisted-User-Name := "%{session-state:Persisted-User-Name}" Reply-Message := "Access denied: Unauthorized group." } } } } And here is the log: FreeRADIUS Version 3.0.20 Copyright (C) 1999-2019 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/ldap including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including configuration file /etc/freeradius/3.0/mods-enabled/pap including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/logintime including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/control including configuration file /etc/freeradius/3.0/policy.d/ntlm_auth including configuration file /etc/freeradius/3.0/policy.d/abfab-tr including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/dhcp including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/rfc7542 including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/filter including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/default main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 10 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = no require_message_authenticator = "auto" limit_proxy_state = "auto" } } radiusd: #### Loading Realms and Home Servers #### home_server radius_server1 { require_message_authenticator = "no" ipaddr = 100.127.1.24 port = 1823 type = "auth" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } Ignoring "response_window = 30.000000", forcing to "response_window = 10.000000" home_server radius_server2 { require_message_authenticator = "no" ipaddr = 100.127.1.102 port = 1823 type = "auth" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } Ignoring "response_window = 30.000000", forcing to "response_window = 10.000000" home_server_pool radius_pool { type = fail-over home_server = radius_server2 } realm radius_server { auth_pool = radius_pool } radiusd: #### Loading Clients #### client localhost { ipaddr = * require_message_authenticator = "yes" secret = <<< secret >>> shortname = "localhost" nas_type = "other" proto = "*" limit { max_connections = 1 lifetime = 0 idle_timeout = 30 } } client NMS_APPS_1 { ipaddr = 172.31.50.0/24 secret = <<< secret >>> proto = "*" limit { max_connections = 10 lifetime = 300 idle_timeout = 300 } } client NMS_APPS_2 { ipaddr = 172.31.60.0/24 secret = <<< secret >>> proto = "*" limit { max_connections = 10 lifetime = 300 idle_timeout = 300 } } Debug state unknown (cap_sys_ptrace capability not set) systemd watchdog is disabled radiusd: #### Instantiating modules #### modules { # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap # Loaded module rlm_ldap # Loading module "ldap" from file /etc/freeradius/3.0/mods-enabled/ldap ldap { server = "ms-ad.csec.ms.nomios.nl" identity = "CN=Radius Proxy NomiosLabs,OU=Servce Accounts,DC=ms-ad,DC=csec,DC=ms,DC=nomios,DC=nl" password = <<< secret >>> sasl { } user { scope = "sub" access_positive = yes sasl { } } group { scope = "sub" name_attribute = "cn" cacheable_name = no cacheable_dn = no allow_dangling_group_ref = no } client { scope = "sub" base_dn = "" } profile { } options { ldap_debug = 2147483647 chase_referrals = no rebind = yes net_timeout = 1 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 30 } tls { start_tls = no } } Creating attribute LDAP-Group # Loaded module rlm_detail # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_exec # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --username=%{User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess preprocess { with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime logintime { minimum_timeout = 60 } instantiate { } # Instantiating module "ldap" from file /etc/freeradius/3.0/mods-enabled/ldap rlm_ldap: libldap vendor: OpenLDAP, version: 20449 rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section rlm_ldap (ldap): Initialising connection pool pool { start = 5 min = 5 max = 10 spare = 3 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap): Opening additional connection (0), 1 of 10 pending slots used rlm_ldap (ldap): Connecting to ldap://ms-ad.csec.ms.nomios.nl:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (1), 1 of 9 pending slots used rlm_ldap (ldap): Connecting to ldap://ms-ad.csec.ms.nomios.nl:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (2), 1 of 8 pending slots used rlm_ldap (ldap): Connecting to ldap://ms-ad.csec.ms.nomios.nl:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (3), 1 of 7 pending slots used rlm_ldap (ldap): Connecting to ldap://ms-ad.csec.ms.nomios.nl:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (4), 1 of 6 pending slots used rlm_ldap (ldap): Connecting to ldap://ms-ad.csec.ms.nomios.nl:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log rlm_detail (pre_proxy_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/3.0/radiusd.conf } # server server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authorize {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1825 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address * port 1825 bound to server default Listening on proxy address * port 51834 Ready to process requests (0) Received Access-Request Id 38 from 127.0.0.1:47469 to 127.0.0.1:1825 length 101 (0) Message-Authenticator = 0xe1c8fe585dddd97d45029bb9dcc5bd5d (0) User-Name = "generic-user" (0) User-Password = "ommited" (0) NAS-IP-Address = 172.17.0.6 (0) NAS-Port = 1 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20250515 (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20250515 (0) auth_log: EXPAND %t (0) auth_log: --> Thu May 15 12:01:36 2025 (0) [auth_log] = ok (0) [chap] = noop (0) if (&request:User-Name) { (0) if (&request:User-Name) -> TRUE (0) if (&request:User-Name) { (0) update session-state { (0) EXPAND %{request:User-Name} (0) --> generic-user (0) Persisted-User-Name := generic-user (0) } # update session-state = noop (0) } # if (&request:User-Name) = noop (0) update control { (0) Proxy-To-Realm := "radius_server" (0) } # update control = noop rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (sAMAccountName=generic-user) (0) ldap: Performing search in "DC=ms-ad,DC=csec,DC=ms,DC=nomios,DC=nl" with filter "(sAMAccountName=generic-user)", scope "sub" ldap_search_ext put_filter: "(sAMAccountName=generic-user)" put_filter: simple put_simple_filter: "sAMAccountName=generic-user" ldap_build_search_req ATTRS:€û ldap_send_initial_request ldap_send_server_request (0) ldap: Waiting for search result... ldap_result ld 0x55d84d24efc0 msgid 2 wait4msg ld 0x55d84d24efc0 msgid 2 (timeout 20000000 usec) wait4msg continue ld 0x55d84d24efc0 msgid 2 all 1 ** ld 0x55d84d24efc0 Connections: * host: ms-ad.csec.ms.nomios.nl port: 389 (default) refcnt: 2 status: Connected last used: Thu May 15 12:01:36 2025 ** ld 0x55d84d24efc0 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x55d84d24efc0 request count 1 (abandoned 0) ** ld 0x55d84d24efc0 Response Queue: Empty ld 0x55d84d24efc0 response count 0 ldap_chkResponseList ld 0x55d84d24efc0 msgid 2 all 1 ldap_chkResponseList returns ld 0x55d84d24efc0 NULL ldap_int_select read1msg: ld 0x55d84d24efc0 msgid 2 all 1 read1msg: ld 0x55d84d24efc0 msgid 2 message type search-entry wait4msg ld 0x55d84d24efc0 19 s 989759 us to go wait4msg continue ld 0x55d84d24efc0 msgid 2 all 1 ** ld 0x55d84d24efc0 Connections: * host: ms-ad.csec.ms.nomios.nl port: 389 (default) refcnt: 2 status: Connected last used: Thu May 15 12:01:36 2025 ** ld 0x55d84d24efc0 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x55d84d24efc0 request count 1 (abandoned 0) ** ld 0x55d84d24efc0 Response Queue: * msgid 2, type 100 ld 0x55d84d24efc0 response count 1 ldap_chkResponseList ld 0x55d84d24efc0 msgid 2 all 1 ldap_chkResponseList returns ld 0x55d84d24efc0 NULL ldap_int_select read1msg: ld 0x55d84d24efc0 msgid 2 all 1 read1msg: ld 0x55d84d24efc0 msgid 2 message type search-reference adding response ld 0x55d84d24efc0 msgid 2 type 115: wait4msg ld 0x55d84d24efc0 19 s 989704 us to go wait4msg continue ld 0x55d84d24efc0 msgid 2 all 1 ** ld 0x55d84d24efc0 Connections: * host: ms-ad.csec.ms.nomios.nl port: 389 (default) refcnt: 2 status: Connected last used: Thu May 15 12:01:36 2025 ** ld 0x55d84d24efc0 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x55d84d24efc0 request count 1 (abandoned 0) ** ld 0x55d84d24efc0 Response Queue: * msgid 2, type 100 chained responses: * msgid 2, type 115 ld 0x55d84d24efc0 response count 1 ldap_chkResponseList ld 0x55d84d24efc0 msgid 2 all 1 ldap_chkResponseList returns ld 0x55d84d24efc0 NULL ldap_int_select read1msg: ld 0x55d84d24efc0 msgid 2 all 1 read1msg: ld 0x55d84d24efc0 msgid 2 message type search-reference adding response ld 0x55d84d24efc0 msgid 2 type 115: wait4msg ld 0x55d84d24efc0 19 s 989648 us to go wait4msg continue ld 0x55d84d24efc0 msgid 2 all 1 ** ld 0x55d84d24efc0 Connections: * host: ms-ad.csec.ms.nomios.nl port: 389 (default) refcnt: 2 status: Connected last used: Thu May 15 12:01:36 2025 ** ld 0x55d84d24efc0 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x55d84d24efc0 request count 1 (abandoned 0) ** ld 0x55d84d24efc0 Response Queue: * msgid 2, type 100 chained responses: * msgid 2, type 115 * msgid 2, type 115 ld 0x55d84d24efc0 response count 1 ldap_chkResponseList ld 0x55d84d24efc0 msgid 2 all 1 ldap_chkResponseList returns ld 0x55d84d24efc0 NULL ldap_int_select read1msg: ld 0x55d84d24efc0 msgid 2 all 1 read1msg: ld 0x55d84d24efc0 msgid 2 message type search-reference adding response ld 0x55d84d24efc0 msgid 2 type 115: wait4msg ld 0x55d84d24efc0 19 s 989602 us to go wait4msg continue ld 0x55d84d24efc0 msgid 2 all 1 ** ld 0x55d84d24efc0 Connections: * host: ms-ad.csec.ms.nomios.nl port: 389 (default) refcnt: 2 status: Connected last used: Thu May 15 12:01:36 2025 ** ld 0x55d84d24efc0 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x55d84d24efc0 request count 1 (abandoned 0) ** ld 0x55d84d24efc0 Response Queue: * msgid 2, type 100 chained responses: * msgid 2, type 115 * msgid 2, type 115 * msgid 2, type 115 ld 0x55d84d24efc0 response count 1 ldap_chkResponseList ld 0x55d84d24efc0 msgid 2 all 1 ldap_chkResponseList returns ld 0x55d84d24efc0 NULL ldap_int_select read1msg: ld 0x55d84d24efc0 msgid 2 all 1 read1msg: ld 0x55d84d24efc0 msgid 2 message type search-result read1msg: ld 0x55d84d24efc0 0 new referrals read1msg: mark request completed, ld 0x55d84d24efc0 msgid 2 request done: ld 0x55d84d24efc0 msgid 2 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) adding response ld 0x55d84d24efc0 msgid 2 type 101: ldap_parse_result ldap_get_dn (0) ldap: User object found at DN "CN=Generic Copy MS User,OU=Users,OU=nomios.nl,OU=Nomios,DC=ms-ad,DC=csec,DC=ms,DC=nomios,DC=nl" ldap_msgfree rlm_ldap (ldap): Released connection (0) (0) [ldap] = ok (0) if (1) { (0) if (1) -> TRUE (0) if (1) { (0) update reply { (0) ERROR: String passed does not look like an LDAP URL (0) EXPAND DN: %{ldap:dn} (0) --> DN: (0) Reply-Message := DN: (0) ERROR: String passed does not look like an LDAP URL (0) EXPAND , memberOf: %{ldap:memberOf[*]} (0) --> , memberOf: (0) Reply-Message += , memberOf: (0) ERROR: String passed does not look like an LDAP URL (0) EXPAND , mail: %{ldap:mail} (0) --> , mail: (0) Reply-Message += , mail: (0) ERROR: String passed does not look like an LDAP URL (0) EXPAND , sAMAccountName: %{ldap:sAMAccountName} (0) --> , sAMAccountName: (0) Reply-Message += , sAMAccountName: (0) } # update reply = noop (0) } # if (1) = noop (0) } # authorize = ok (0) Starting proxy to home server 100.127.1.102 port 1823 (0) server default { (0) } (0) Proxying request to home server 100.127.1.102 port 1823 timeout 10.000000 (0) Sent Access-Request Id 198 from 0.0.0.0:51834 to 100.127.1.102:1823 length 111 (0) Message-Authenticator = 0xe1c8fe585dddd97d45029bb9dcc5bd5d (0) User-Name = "generic-user" (0) User-Password = "ommited" (0) NAS-IP-Address = 172.17.0.6 (0) NAS-Port = 1 (0) Event-Timestamp = "May 15 2025 12:01:36 UTC" (0) Proxy-State = 0x3338 Waking up in 0.3 seconds. (0) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (0) BlastRADIUS check: Received packet without Message-Authenticator from home_server radius_server2 (0) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (0) The packet does not contain Message-Authenticator, which is a security issue (0) UPGRADE THE HOME SERVER AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK. (0) Once the home server is upgraded, set "require_message_authenticator = true" for home_server radius_server2 (0) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (0) Marking home server 100.127.1.102 port 1823 alive (0) Clearing existing &reply: attributes (0) Received Access-Accept Id 198 from 100.127.1.102:1823 to 172.17.0.6:51834 length 50 (0) Reply-Message = "Recovered as generic-user" (0) server default { (0) # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default (0) post-proxy { (0) attr_filter.post-proxy: EXPAND %{Realm} (0) attr_filter.post-proxy: --> radius_server (0) attr_filter.post-proxy: Matched entry DEFAULT at line 1 (0) [attr_filter.post-proxy] = updated (0) if (1) { (0) if (1) -> TRUE (0) if (1) { (0) update reply { (0) EXPAND Session-State LDAP-Group: %{session-state:LDAP-Group} (0) --> Session-State LDAP-Group: (0) Reply-Message += Session-State LDAP-Group: (0) } # update reply = noop (0) } # if (1) = noop (0) } # post-proxy = updated (0) } (0) Found Auth-Type = Accept (0) Auth-Type = Accept, accepting the user (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) if (1) { (0) if (1) -> TRUE (0) if (1) { (0) update reply { (0) EXPAND Session-State LDAP-Group: %{session-state:LDAP-Group} (0) --> Session-State LDAP-Group: (0) Reply-Message += Session-State LDAP-Group: (0) } # update reply = noop (0) } # if (1) = noop (0) update session-state { (0) ERROR: String passed does not look like an LDAP URL (0) EXPAND %{ldap:memberOf} (0) --> (0) LDAP-Group := (0) } # update session-state = noop (0) if (&session-state:LDAP-Group[*]) { (0) if (&session-state:LDAP-Group[*]) -> TRUE (0) if (&session-state:LDAP-Group[*]) { (0) update reply { (0) EXPAND Groups: %{session-state:LDAP-Group[*]} (0) --> Groups: (0) Reply-Message := Groups: (0) } # update reply = noop (0) } # if (&session-state:LDAP-Group[*]) = noop (0) ... skipping else: Preceding "if" was taken (0) if (&session-state:LDAP-Group[*] == "CN=Radius_Admin_Group,OU=NomiosLabs,OU=Roles,OU=Nomios Services,OU=Nomios,DC=ms-ad,DC=csec,DC=ms,DC=nomios,DC=nl") { (0) if (&session-state:LDAP-Group[*] == "CN=Radius_Admin_Group,OU=NomiosLabs,OU=Roles,OU=Nomios Services,OU=Nomios,DC=ms-ad,DC=csec,DC=ms,DC=nomios,DC=nl") -> FALSE (0) elsif (&session-state:LDAP-Group[*] == "CN=Radius_ReadOnly_Group,OU=NomiosLabs,OU=Roles,OU=Nomios Services,OU=Nomios,DC=ms-ad,DC=csec,DC=ms,DC=nomios,DC=nl") { (0) elsif (&session-state:LDAP-Group[*] == "CN=Radius_ReadOnly_Group,OU=NomiosLabs,OU=Roles,OU=Nomios Services,OU=Nomios,DC=ms-ad,DC=csec,DC=ms,DC=nomios,DC=nl") -> FALSE (0) elsif (&session-state:LDAP-Group[*] == "CN=Radius_ReadWrite_Group,OU=NomiosLabs,OU=Roles,OU=Nomios Services,OU=Nomios,DC=ms-ad,DC=csec,DC=ms,DC=nomios,DC=nl") { (0) elsif (&session-state:LDAP-Group[*] == "CN=Radius_ReadWrite_Group,OU=NomiosLabs,OU=Roles,OU=Nomios Services,OU=Nomios,DC=ms-ad,DC=csec,DC=ms,DC=nomios,DC=nl") -> FALSE (0) else { (0) update control { (0) Auth-Type := Reject (0) } # update control = noop (0) update reply { (0) EXPAND %{session-state:Persisted-User-Name} (0) --> generic-user (0) Persisted-User-Name := generic-user (0) Reply-Message := "Access denied: Unauthorized group." (0) } # update reply = noop (0) } # else = noop (0) } # post-auth = noop (0) Login OK: [generic-user] (from client localhost port 1) (0) Sent Access-Accept Id 38 from 127.0.0.1:1825 to 127.0.0.1:47469 length 0 (0) Reply-Message := "Access denied: Unauthorized group." (0) Reply-Message = "Recovered as generic-user" (0) Reply-Message += " Session-State LDAP-Group: " (0) Persisted-User-Name := "generic-user" (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 38 with timestamp +6 Ready to process requests ________________________________ From: Freeradius-Users <freeradius-users-bounces+matvey.teplov=nomios.nl@lists.freeradius.org> on behalf of Matvey Teplov via Freeradius-Users <freeradius-users@lists.freeradius.org> Sent: 14 May 2025 17:18 To: freeradius-users@lists.freeradius.org <freeradius-users@lists.freeradius.org> Cc: Matvey Teplov <matvey.teplov@nomios.nl> Subject: [EXTERNAL] Fetching memberOf attribute Hi Guys, I cannot get the ldap module to fetch a memberOf attribute from AD - it is not putting it as a filter parameter in the LDAP search packet. I need this list later to search through for port-authentication phase through the groups in session-state:LDAP-Group[*]'s to identify which ones are present and return a proper VSA. The LDAP configuration is as follows: ldap { server = 'abc.nomios.nl' identity = 'CN=ABC,OU=ABC,DC=nomios,DC=nl' password = '#######' base_dn = 'DC=nomios,DC=nl' user { base_dn = "${..base_dn}" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" scope = 'sub' access_attr = "memberOf" attribute { memberOf := 'session-state:LDAP-Group' } } # group { # base_dn = "${..base_dn}" # membership_attribute = 'memberOf' # } options { chase_referrals = no rebind = yes ldap_debug = 1 timeout = 10 timelimit = 3 net_timeout = 1 idle = 60 } tls { start_tls = no } update { session-state:LDAP-Group := "%{ldap:memberOf}" } } If I run manually ldap_search, then membership shows. Wireshark confirms that there is no attribute request in the ldap search packet present. Any help will be greatly appreciated! Best regards Matvey Teplov +31 62 705 12 73 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html