ldap group lookup help

Walter Gould gouldwp at auburn.edu
Thu Sep 2 16:49:02 CEST 2010


We are having problems with ldap group lookups...  Here's our 
environment.  Using Freeradius 2.1.8 to authenticate wireless users 
against our AD servers and perform ldap group membership lookups.  Using 
WPA2-AES-PEAP-MSCHAPv2.  When radiusd is started, initially the lookups 
work fine and we see successful auth's in our radius logs.  But, after 
some period of time, we eventually begin to see bunches of "Invalid 
user:" radius logs.  The only thing that seems to fix this is to remove 
the ldap group lookups from the freeradius config.

In our ldap module, the basedn we specify is dc=auburn,dc=edu (as we 
have multiple user ou's).  Not sure if that might be causing an issue or 

One thing I have noticed is there are 3 ldap group lookups that each say 
"rlm_ldap::ldap_groupcmp: User found in group xxxx".  I have read posts 
about configuring the ldap module to us the inner-tunnel - which I have 
done.  Is there anyway to reduce the number of group lookups to only 
one?   Not sure if the extra lookups are causing unneeded traffic which 
may be causing issues?

Also, I see 10 Access-Request packets and about the same number of 
Access-Challenge packets..  Is this normal?  Just wondering if excessive 
unneeded traffic is what is overloading the AD/ldap servers?

Any help or suggestions will be appreciated.


Walter Gould
Auburn University

More information about the Freeradius-Users mailing list