I have FreeRadius 3.0.3 installed on Ubuntu 14.0.4 (free radius 3.0.3-ppa1~trustry package) I have everything setup with Active Directory for user authentication. This is working correctly, but I am having a problem with Active Directory group membership checking. It appears the problem is with the way FreeRadius escapes the UserDN when doing the query. I have tried various ldap configuration options, none of which quite work. If I remove all the filter settings from the group checking and only use the membership_attribute = "memberOf", I get the following Invalid DN syntax error: rlm_ldap (ldap): Bind successful (11) User object found at DN "CN=Winders\, Tim (0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu" (11) Checking user object membership (memberOf) attributes (11) Waiting for bind result... (11) Bind successful (11) Performing unfiltered search in 'CN=Winders, Tim (0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu', scope 'base' (11) Waiting for search result... (11) ERROR: Failed performing search: Invalid DN syntax (11) ERROR: Server said: 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8350, best match of: 'CN=Winders, Tim (0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu' . Notice the first User object found has the correct DN, with the comma in the CN= attribute escaped. This is the way the DN is stored in Active Directory. However, when doing the unfiltered search, the comma is no longer escaped resulting in the Invalid DN syntax. If I remove the membership_attribute and do the member checking in the group, I don¹t get the invalid DN (as the DN is no longer being searched), but the UserDn attribute is escaped differently rlm_ldap (ldap): Bind successful (11) User object found at DN "CN=Winders\, Tim (0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu" (11) Checking for user in group objects (11) EXPAND (&(objectClass=group)(member=%{control:Ldap-UserDn})) (11) --> (&(objectClass=group)(member=CN\3dWinders\2c Tim \280552\29\2cOU\3dStudents\2cOU\3dSPC\2cDC\3dsouthplainscollege\2cDC\3dedu) ) (11) Waiting for bind result... (11) Bind successful (11) Performing search in 'CN=Students Security Group,OU=Standard Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu' with filter '(&(objectClass=group)(member=CN\3dWinders\2c Tim \280552\29\2cOU\3dStudents\2cOU\3dSPC\2cDC\3dsouthplainscollege\2cDC\3dedu) )', scope 'sub' (11) Waiting for search result... (11) Search returned no results (11) Search returned not found Again, notice the successful user object found with the correct DN, but when doing the expansion of control:Ldap-UserDn the resulting DN is badly mangled. I found lots of information in the archives about UserDn escaping, but nothing current and no helpful information on how to fix this. Suggestions? -- Tim Winders Associate Dean of Information Technology South Plains College (806) 716-2369