Help with LDAP groupOfNames?

Thu Apr 16 01:55:48 CEST 2009

I just upgraded to FreeRadius 2.1.1, as per some off-list advice, but
still am having issues with this... I've Googled and read docs to no
avail, probably as I don't know much of anything about Radius at all -
and just need this (seemingly relatively simple) thing.

I'm running FreeRADIUS 2.1.1 (SuSE package) and OpenLDAP 2.3.19. I
have an access point that will do captive portal, but only via RADIUS,
not via LDAP natively. I already have an LDAP server running, so I just
added a new groupOfNames called "WirelessUsers".

Basically, *all* I want RADIUS to do is check the username and password,
and assuming they are correct, either allow or deny based on whether the
user is a member of "WirelessUsers". According to radtest, I have it
working with LDAP, but it allows everyone with a valid username and
password access, regardless of the WirelessUsers group - and I'm not
seeing anything related to that group in the LDAP logs or anything
related to groups at all in `radiusd -f -X`.

I can't seem to find anything concrete online for freeradius1 relating
to groupOfNames, so I've just been trying random things that I found
online (for raddb/users) hoping one would work.

RELEVANT CONFIGS (only relevant portions, comments removed)

raddb/sites-enabled/default:

authorize {
	ldap
}
authenticate {
        Auth-Type LDAP {
                  ldap
        }

}

raddb/modules/ldap:

        ldap {
                server = "127.0.0.1"
                basedn = "dc=example,dc=com"
                #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                filter =
"(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"

                start_tls = no

                #access_attr = "dialupAccess"
                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 5

                password_attribute = userPassword

                groupname_attribute = "cn"
                #groupmembership_filter =
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-\
UserDn})))
                groupmembership_filter =
(|(&(objectClass=GroupOfNames)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{\
check:LDAP-UserDn})))
                groupmembership_attribute = WirelessUsers
                #groupmembership_attribute = "memberof"
                timeout = 4
                timelimit = 3
                net_timeout = 1
                # compare_check_items = yes
                # do_xlat = yes
                # access_attr_used_for_allow = yes
        }

raddb/users:

#DEFAULT Auth-Type = LDAP
#       Fall-Through = yes
#
#DEFAULT Ldap-Group != "wireless", Auth-Type := Reject
#
#
#
#
#
#DEFAULT Ldap-Group !=
"cn=WirelessUsers,ou=groups,dc=midlandparkambulance,dc=com", Auth-Type
:= Reject
#
#DEFAULT Auth-Type := LDAP
#
#
#
DEFAULT Ldap-Group == WirelessUsers

DEFAULT Auth-Type := Reject

(For users, I've tried each of the pairs of commented-out lines, as per
different things I found online.)

I'm sure this is horribly simple, but I just can't seem to figure it out
from the docs or from extensive googling.

Thanks for any help,
Jason Antman