Fwd: ldap group lookup help

Walter Gould gouldwp at auburn.edu
Wed Sep 8 17:55:00 CEST 2010

I never saw a reply to my below e-mail.  Would anybody have any thoughts 
or ideas on why our ldap group lookups fail after some period of 
time...?  If it would help to send debug output, I can...  Just for my 
information, are many folks out there using ldap/AD group lookups on 
large FR installs?

Thanks in advance,

-------- Original Message --------
Subject: 	ldap group lookup help
Date: 	Thu, 02 Sep 2010 09:49:02 -0500
From: 	Walter Gould <gouldwp at auburn.edu>
To: 	FreeRadius users mailing list <freeradius-users at lists.freeradius.org>


We are having problems with ldap group lookups...  Here's our
environment.  Using Freeradius 2.1.8 to authenticate wireless users
against our AD servers and perform ldap group membership lookups.  Using
WPA2-AES-PEAP-MSCHAPv2.  When radiusd is started, initially the lookups
work fine and we see successful auth's in our radius logs.  But, after
some period of time, we eventually begin to see bunches of "Invalid
user:" radius logs.  The only thing that seems to fix this is to remove
the ldap group lookups from the freeradius config.

In our ldap module, the basedn we specify is dc=auburn,dc=edu (as we
have multiple user ou's).  Not sure if that might be causing an issue or

One thing I have noticed is there are 3 ldap group lookups that each say
"rlm_ldap::ldap_groupcmp: User found in group xxxx".  I have read posts
about configuring the ldap module to us the inner-tunnel - which I have
done.  Is there anyway to reduce the number of group lookups to only
one?   Not sure if the extra lookups are causing unneeded traffic which
may be causing issues?

Also, I see 10 Access-Request packets and about the same number of
Access-Challenge packets..  Is this normal?  Just wondering if excessive
unneeded traffic is what is overloading the AD/ldap servers?

Any help or suggestions will be appreciated.


Walter Gould
Auburn University

More information about the Freeradius-Users mailing list