groupmembership_filter for LDAP module [sec: unclas]

Ranner, Frank MR Frank.Ranner at
Tue Aug 22 09:47:22 CEST 2006

-----Original Message-----
From: at lists.freeradius.or
[ at lists.freer] On Behalf Of Alexei Monastyrnyi
Sent: Tuesday, 22 August 2006 07:12
To: FreeRadius users mailing list
Subject: groupmembership_filter for LDAP module

Hi List.

I am trying to enable group filter to allow only certain LDAP users to
be able to login to my VPN hub.

I run FreeRADIUS 1.0.2 on SPARC Solaris 9

All users are in group
listed as "memberUid"s

In radiusd.conf I have the following

filter =

groupmembership_filter =

groupmembership_attribute = "vpnusers"

It doesn't seem to work, no sign of searching for "vpnusers" in LDAP
server logs and users that are not in this group are still able to log

I may be missing something... Hints of where to look would be highly



1. You need to have an LDAP-Group check item in users:

DEFAULT	LDAP-Group == vpnusers
		Service-Type = Administrative-User

2. You need groupname_attribute. This is ANDed to the filter to provide
	groupname_attribute = cn

3. Your filter is overcomplicated, all you need is this:
   The rlm_ldap module adds on (cn=vpnusers) as a result of items 1 and

That's it. As long as the other stuff is right like the binddn, the base
dn this
should at least generate ldap activity in the radiusd -X output.

Frank Ranner

More information about the Freeradius-Users mailing list