Can I get group-name from Active-directory? [sec=unclassified]

Hangjun He elmerhe at
Wed Dec 19 09:31:41 CET 2007

I add group parameters in rlm_ldap section. Seems freeradius not do group search. 
          groupname_attribute = memberOf
        groupmembership_filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
  Anything else I need to configure in radiusd.conf?
  Waking up in 4 seconds...
rad_recv: Access-Request packet from host, id=76, length=207
        User-Name = "hhe"
        NAS-IP-Address =
        NAS-Identifier = "AH-000030"
        NAS-Port = 0
        Called-Station-Id = "00-19-77-00-00-34:hhe"
        Calling-Station-Id = "00-19-E0-80-A5-5A"
        Framed-MTU = 1500
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x0209002b1900170301002040c3edccfa02df3abe7e25e10b19562d21e7cb9ae131741e2072d61ea88ada83
        State = 0xaa50cdb6191621d7112990ba865f4031
        Message-Authenticator = 0xb16d6265031bcb1157450cdbef3d80b4
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
  modcall[authorize]: module "preprocess" returns ok for request 9
  modcall[authorize]: module "mschap" returns noop for request 9
    rlm_realm: No '@' in User-Name = "hhe", looking up realm NULL
    rlm_realm: Found realm "NULL"
    rlm_realm: Proxying request from user hhe to realm NULL
    rlm_realm: Adding Realm = "NULL"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 9
  rlm_eap: EAP packet type response id 9 length 43
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 9
rlm_ldap: - authorize
rlm_ldap: performing user authorization for hhe
radius_xlat:  '(sAMAccountName=hhe)'
radius_xlat:  'cn=users,dc=aerohive, dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=users,dc=aerohive, dc=com, with filter (sAMAccountName=hhe)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user hhe authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 9
modcall: leaving group authorize (returns updated) for request 9
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 9
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap: Success
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 9
modcall: leaving group authenticate (returns ok) for request 9
Sending Access-Accept of id 76 to port 1107
        MS-MPPE-Recv-Key = 0x03ee0b3dcbfc176840b2fd59f80ea717e985f078073c8aec6443244ff871091d
        MS-MPPE-Send-Key = 0x55a504ccb0cb76ee9bda1bd4e5ec48cf4c27fe94c9e086bc990ed0f0f1650f92
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "hhe"
Finished request 9

"Ranner, Frank MR" <Frank.Ranner at> 写道:
  From: at lists.freeradius.or
[ at lists.freer] On Behalf Of Hangjun He
Sent: Monday, 17 December 2007 18:32
To: FreeRadius users mailing list
Subject: Can I get group-name from Active-directory?

FreeRADIUS 1.1.6 + samba-tools + active-directory.
Can I get user's group-name by rlm_ldap? How?

Following is result of ldap-search.(Using ldap client)
# Paul Le, Users,
dn: CN=Paul Le,CN=Users,DC=test,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Paul Le
sn: Levasseur
distinguishedName: CN=Paul Le,CN=Users,DC=test,DC=com
instanceType: 4
whenCreated: 20061118204047.0Z
whenChanged: 20061120041505.0Z
displayName: Paul Levasseur
uSNCreated: 53309
memberOf: CN=WirelessUsers,CN=Users,DC=test,DC=com
uSNChanged: 61454
name: Paul Levasseur
objectGUID:: TWcfmIP0S0KptrqNYMartA==

In radiusd.conf set the ldap group parameters:

groupname_attribute = memberOf
groupmembership_filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"

If you prefer you can use sAMAccountName instead of cn, or even both:

groupmembership_filter =

Frank Ranner

List info/subscribe/unsubscribe? See

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list