Freeradius with openldap

Alan DeKok aland at
Tue Nov 12 20:36:59 CET 2013

Mik J wrote:
> I've managed to set up freeradius with sql.
> When a user authenticates, the freeradius server returns the nas some
> attributes.

  That's fine.

> Now I'm trying to use openldap to authenticate my user
> # radtest myuser mypassword 1812 mysecret
> This command works. The mysecret is stored into the nas table and
> myuser/mypassword is stored in the openldap server. So I would say that
> the connectivity with the ldap server works perfectly

  You shouldn't have to do *anything* else.  The two pieces are independent.

> But the command doesn't return the attributes I want.
> In the file sites-enabled/default I have
> authorize {
> #files
> #sql
> ldap

  OK... you disabled SQL.  Why?  It was returning attributes.

  You really seem to be making random changes in the hope that it will
magically work.  That is entirely the wrong approach.

> I'm confuse how freeradius will proceed
> - Search for myuser in the ldap using the account I provided in modules/ldap
> - Check the users password

  That's how LDAP works.  You have it working.

> - Should openldap return the attributes I mentioned above or can this be
> done with mysql ?

  You already did this with MySQL.  Why did you change it?

> - I'd like to return these attributes if myuser belongs to mygroup,
> mygroup is created in openldap and myuser belongs to mygroup
> I've seen the section in modules/ldap but I don't know how to test if I
> configured is correct
> groupname_attribute = cn
> groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u))"

  You can do LDAP group checking via the LDAP-Group attribute.  Put that
into the MySQL "check" items:

	LDAP-Group == "name_of_group_to_check"

  If the group matches, the reply attributes will be returned.

  Alan DeKok.

More information about the Freeradius-Users mailing list