Groups in active directory and checks in MySQL

Alan DeKok aland at
Fri Aug 23 21:31:58 CEST 2013

Atomikramp wrote:
> I'm in a situation now where i can successfully retrieve group
> membership of users in the active directory LDAP tree using rlm_ldap,
> and check them against files.


> so if i have a user with "memberOf" attribute set to groupA
> and i set in the raddb/users the following entry:
> DEFAULTLdap-Group == "groupA", Auth-Type := Reject
> Reply-Message = "Not Allowed."
> i successfully deny access to that user.

  That should map directly to the SQL tables.

> Since i'm already using MySQL for storing accounting informations i was
> really interested in being able to use the same backend (mysql) also for
> performing checks against groups.
> If i perform checks against usernames using the table radcheck they work
> properly (users retrieved from the LDAP backend), i've tried setting a
> radcheck like the following:
> userA Max-Daily-Session := 7200
> and after 2 hours the user is unable to authenticate to the NAS because
> the time allowed has expired.
> But i cant seem to be able to do the same thing with the groups.

  Post the debug output.  And what do you have in SQL?

> i've configured sites-enabled/default like this:

  Note that the FAQ, README, "man" pages, and web pages ALL say to post
the debug output.  We really don't care about the configuration.  It
doesn't show what happens when the server receives a request.

  Alan DeKok.

More information about the Freeradius-Users mailing list