FreeRADIUS and LDAP Groups

tnt at tnt at
Fri Dec 12 01:37:25 CET 2008

>In my users I have
>DEFAULT LDAP-Group == foo
>However, even with these configuration options set, anyone with a valid login and password can authenticate right now.  In my "radiusd -X" I see:
>rlm_ldap: performing search in dc=blah, with filter (&(cn=foo)(memberUid=test))
>rlm_ldap: object not found or got ambiguous search result
>But it then goes on the authenticate the user anyhow:
>rlm_ldap: user test authorized to use remote access
>I looked around on Google, and I see -lots- of stuff about configuring LDAP group checks, but I haven't found anything that's all too helpful right now.  Is there some option that I have to set to tell the system to ignore a user that's not in the proper group?


DEFAULT   Auth-Type := Reject

at the end of the users file. If none of the groups match user will be
rejected even with the correct password.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list