Hello, Trying to setup group membership filtering against LDAP group membership for user authentication and authorization, seems that %{Ldap-UserDn} is not correctly expanded (shown as blank) in my conf. Does anyone experienced same problems or has any idea about what is wrong in my conf ? Here are some revelants parts : radiusd.conf ------------------ module { [...] ldap ldap { server = "myldapserver" identity = "cn=admin,dc=myorg" password = passw basedn = "dc=myorg" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=person)" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${raddbdir}/ldap.attrmap auto_header = yes groupname_attribute = cn groupmembership_filter = "(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))" # groupmembership_attribute = cn } [...] } [..] Autz-Type LDAP { ldap } expiration logintime pap } authenticate { Auth-Type LDAP { ldap } } [...] users (matching huntgroup name "clientasa") ------------------------------------------------------------------ DEFAULT Huntgroup-Name == "clientasa", Ldap-Group=="ASA", Autz-Type := LDAP DEFAULT Auth-Type := Reject LDAP extract : -------------------- dn: cn=ASA, dc=myorg objectClass: groupOfNames objectClass: posixGroup objectClass: sambaGroupMapping objectClass: top cn: ASA gidNumber: 512 member: uid=test,ou=people,dc=myorg dn: uid=test,ou=people,dc=myorg objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: posixAccount objectClass: sambaSamAccount objectClass: shadowAccount objectClass: top cn: test gidNumber: 512 uid: test uidNumber: 0 loginShell: /bin/bash userPassword:: {SSHA}mypassword Debug info ---------------- rad_recv: Access-Request packet from host xxxxx port 1025, id=185, length=109 User-Name = "test" NAS-IP-Address = ip1 Calling-Station-Id = "xxxxxxx" User-Password = "mypassword" NAS-Port = 96 Cisco-AVPair = "ip:source-ip=xxxxxxxxxx" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_ldap: Entering ldap_groupcmp() expand: dc=myorg -> dc=myorg WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldapserver:389, authentication 0 rlm_ldap: bind as cn=admin,dc=myorg/ldappassword to ldapserver:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=myorg, with filter (uid=test) rlm_ldap: ldap_release_conn: Release Id: 0 expand: (&(objectClass=GroupOfNames)(member=%{Ldap-UserDn})) -> (&(objectClass=GroupOfNames)(member=)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=myorg, with filter (&(cn=ASA)(&(objectClass=GroupOfNames)(member=))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group ASA not found or user is not a member. users: Matched entry DEFAULT at line 210 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Login incorrect: [test/mypassword] (from client pixasa port 96 cli xxxxxxx) Sending Access-Reject of id 185 to ip1 port 1025 Finished request 0. A partir du 30 juin, le siege social et l'adresse postale de La Banque Postale a Paris changent et deviennent: 115, rue de Sevres, 75275 Paris Cedex 06 Le No du standard du Siege Central de la Banque Postale a Paris devient: 01 57 75 60 00 Le papier est un bien precieux, ne le gaspillez pas. N'imprimez ce document que si vous en avez vraiment besoin ! Ce message est confidentiel. Sous reserve de tout accord conclu par ecrit entre vous et La Banque Postale, son contenu ne represente en aucun cas un engagement de la part de La Banque Postale. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.