LDAP no group

Jean Carlos Coelho coelho at teltecsolutions.com.br
Fri Dec 13 12:49:03 CET 2013


Simple question, my client has configured the ldap database with no ou=groups, only with ou=people and all the users have some different object classes, some “students” and some “teachers”, the ldap database does not have the posixgroup or memberUid… my ldap configuration for search “group” is:

  groupname_attribute = ou

  groupmembership_filter = "(&(dc=domain,dc=org)(uid=%u))”

I have tried many other options above.. :(

This is some user example:


dn: ou=students,dc=domain,dc=org

ou: students

objectClass: organizationalUnit

objectClass: top

dn: ou=teachers,dc=domain,dc=org

ou: teachers

objectClass: organizationalUnit

objectClass: top

dn: ou=employees,dc=domain,dc=org

ou: employees

objectClass: organizationalUnit

objectClass: top



dn: uid=19221422470,ou=student,dc=ufsm,dc=br


mail: fab at cpd.domain.org

eduPersonPrincipalName: OJLADOIA-CXQLBAAA at domain.org

uid: 19221422470

objectClass: person

objectClass: inetOrgPerson

objectClass: eduPerson

objectClass: sambaSamAccount

objectClass: brPerson



cn: Student Name

sn: Student Last Name

sambaSID: 19221422470

dn: brEduAffiliation=1,uid=19221422470,ou=students,dc=domain,dc=org

objectClass: brEduPerson

brEduAffiliation: 1

brEntranceDate: 20120503

brEduAffiliationType: student


Radius debug output (USER OK.. But can’t search “groups”)…

radtest 42833582820 teste2013 100 123456789

Sending Access-Request of id 124 to port 1812

User-Name = "42833582820"

User-Password = "teste2013"

NAS-IP-Address =

NAS-Port = 100

Message-Authenticator = 0x00000000000000000000000000000000

rad_recv: Access-Accept packet from host port 1812, id=124, length=20

# Executing section post-auth from file /etc/freeradius/sites-enabled/domain-ldap

+- entering group post-auth {...}

++? if (LDAP-Group == “teachers")

  [ldap] Entering ldap_groupcmp()

expand: dc=domain,dc=org -> dc=domain,dc=org

expand: (&(dc=domain,dc=org)(uid=%u)) -> (&(dc=domain,dc=org)(uid=42833582820))

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] performing search in dc=domain,dc=org, with filter (&(ou=teachers)(&(dc=domain,dc=org)(uid=42833582820)))

  [ldap] object not found

  [ldap] ldap_release_conn: Release Id: 0

rlm_ldap::ldap_groupcmp: Group teachers not found or user is not a member.

? Evaluating (LDAP-Group == “teachers") -> FALSE

++? if (LDAP-Group == “teachers") -> FALSE

} # server ldap

So.. I don’t have a group, I have different object classes for separate users, is there some way to collect these informations from brEduAffiliationType with rlm_ldap group options? Or I will have to create groups and add users to these groups and populate the memberUid object for (I know) it work..



Jean Carlos Coelho
Analista de Soluções

Teltec Solutions
 Fone: 48 3031.3450  | DDR: 467  |  Cel: 48 9179.6013


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131213/1d8e2fd9/attachment.html>

More information about the Freeradius-Users mailing list