Group checking in ldap authorization

Phil Mayers p.mayers at
Wed Mar 23 10:14:03 CET 2011

On 03/22/2011 06:15 PM, Robert Roll wrote:
> This does seem to work differently than I thought..

Yeah, like I say: it's a virtual attribute that does the group search 
when you "compare" it.

>   My model was something like  ntlm_auth, which allows an authentication,
> but one can also require membership in a group at the same time...
> i.e.   ntlm_auth   ...    --require-membership-of={SID|Name}

Nope, different.

>   What I was really hoping is that I could look someone up in the
> directory in the user tree, but also then require they be in a
> particular group.  The group would actually have a specific
> replyItem attribute that would return a VLAN if the user
> was part of the group...
>    There are other ways of accomplishing this ....

I think you may want the LDAP "profiles" stuff?

Or, use an xlat:

update reply {
   Tunnel-Private-Group-Id = "%{ldap:<ldap query url here>}"

More information about the Freeradius-Users mailing list