LDAP Groups

Hugh Blandford hugh at island.net.au
Tue Nov 2 06:16:21 CET 2010

Thank you Peter for your email.  I hadn't come across them in the list 

On 2/11/2010 14:16, Alan DeKok wrote:
> Hugh Blandford wrote:
>> would mean you could add the attribute radiusGroupName to a user's entry
>> and it would then look up the relevant GroupofNames and add those
>> attributes to the return items.  However, when I add radiusGroupName to
>> a user's entry I don't see any groupname lookups in the debug at all.
>    No.  The documentation does not say it works that way.
When using the following sort of DEFAULT entry:

  Ldap-Group == flat10000, User-Profile := 

there is no relevance to

groupmembership_attribute = radiusGroupName

Reading the rlm_ldap document.  I thought that the 
groupmembership_attribute was specified in the user entry which was then 
used to fetch the group information.

#       groupmembership_attribute: The attribute in the user entry that 
#       the group the user belongs to.  The attribute can either contain the
#       group name or the group DN. If it contains the group DN
#       groupmembership_attribute will also be used to find the group's 
#       The attribute will be used after a search based on the
#       groupname_attribute and groupmembership_filter has failed.  default:
#       NULL - don't search for a group based on attributes in the user 

Alan I'm not saying you are wrong :-) more I don't understand under what 
circumstances / how it is used.

I do not see any group searching done in the debugs unless I specify an 
LDAP-Group entry in the users file.

I thought that with groupmembership_attribute = radiusGroupName set and 
an entry like

radiusGroupName = disabled or cn=disabled,ou=............. etc in a user 
entry it would return additional attributes listed in the disabled group.
>> What I actually want to do is might not be solved best by LDAP groups.
>> Most of our customers are in different VRFs and this, the loopback
>> address and DNS servers etc are returned.  Rather than store this
>> information under each user I would like to have template that I refer
>> to.  However, at the same time, having 50+ default entries didn't seem
>> the right way to do it either.
>    That's what groups are for.

Is it sensible to have 50 or so DEFAULT LDAP-Group entries?  Or does 
that show that I have totally failed in understanding what/how 
FreeRADIUS should be used.

Thanks for your help.


Hugh Blandford
Island Internet
ph 1300 130 428
mb 0412 016 875

More information about the Freeradius-Users mailing list