Problem with LDAP and Groups

Alan DeKok aland at
Sun Oct 14 07:00:42 CEST 2007

Bryan Evege wrote:

  Please edit your posts to the list.  It's annoying to have to scroll
through reams of headers and old messages in order to see your reply.

> Thank you for the reply.  If I change the fall through to yes it still
> matches as many groups as the user is in.  How can I tell freeradius
> which attributes to send back?  It only sends back the attributes of the
> last group it finds.

  Read the documentation for the "users" file, including the "man" page.

> For example, bevege is a member of the following groups, packetshapper,
> cisco_priv_15, cisco_priv_1, linux.  Here is what happens when I try to
> log into one of the packet shappers.  I get the attributes for the
> cisco_priv_1 because it's last in the list and I can't logon.  I f  I
> change all of the users groups to fall-through=no the packetshapper
> allows me to login but then the cisco profiles don't work because it
> never makes it to them.

  i.e. You want to match on the client AND on the group.  Why not
configure that?

DEFAULT Client-IP-Address ==, LDAP-Group == ...
	reply with stuff...

> Basically this setup works fine if you're only in one group! What's the
> point of groups if you can only be in one.

  You can be in multiple groups.  You just have to configure the correct

  Alan DeKok.

More information about the Freeradius-Users mailing list