Group checking in ldap authorization

Robert Roll Robert.Roll at
Tue Mar 22 15:24:11 CET 2011

 I have an ldap module that I want to force to do group checking.
Reading the documentation, it seems that there should be an attribute (I'm assuming control?)
that should force that check ?  i.e.   instance-name-Ldap-Group ..

 I notice that the ldap module seems to have group checking disabled by default. I thought
that uncommenting the group config below should enable it ?

	#  Group membership checking.  Disabled by default.
	 groupname_attribute = cn
	 groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
	 groupmembership_attribute = radiusGroupName

Below is what I have in my authorization section. I 

         update control {
            ldapADut-Ldap-Group := "cn=chemVLAN,OU=Groups,OU=UofURadius,dc=ad,dc=utah,dc=edu"

	 ldapADut { 
           notfound = reject 

Looking at the debug, it seems that there is no attempt to actually do any group checking ?

What am I doing wrong ?



More information about the Freeradius-Users mailing list