Freeradius with openldap

Mik J mikydevel at
Wed Nov 13 18:10:45 CET 2013

Hello Alan,

Thank you for your answer.

I disabled SQL because I assumed radiusd shouldn't look into the radcheck table to perform an authentication since I wanted to use LDAP. To me it's a bit strange that radiusd will query this table everytime knowing that it won't be used because the authentication is based on LDAP.

To make my tests I have:
1) Cleared any user's entry in the radcheck table
2) Added an entry into the radgroupcheck table as you suggested me
|  6 | testgroup | LDAP-Group | == | radiusldapgroup |
3) Created the radiusldapgroup on my LDAP server and added a user
4) Checked the entries I have created in the past for that group in the radgroupreply

| id | groupname | attribute               | op | value    |
|  3 | testgroup | Tunnel-Type             | =  | VLAN     |
|  4 | testgroup | Tunnel-Medium-Type      | =  | IEEE-802 |
|  5 | testgroup | Tunnel-Private-Group-Id | =  | 4        |
5) In the file /etc/raddb/modules/ldap have my group settings like that

groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
6) Check that I have read_groups=yes in sql.conf

7) Restarted the radiusd server (I always use option -X at the moment)

# radtest myuser mypassword 1812 mysecret
doesn't send me the attributes. I received rad_recv: Access-Accept though

I have a few questions:
a) My users are sitting in my ldap server and not in mysql so I'm not supposed to have a Fall-Through entry in the radreply table for myuser. Right ? And should I have read_groups=yes in sql.conf (section authorize {) ?
b) In /etc/raddb/sites-enabled/default, is the order important: first sql then ldap (default) or should it be first ldap then sql. I've noticed the debug output is different when I change the order.
The reason is that, the user credential should be checked against ldap first and then according to its group the attributes should be sent by radiusd. That's why I tried to put ldap before sql
c) I'm very confused about the line "groupmembership_attribute = radiusGroupName". Should I replace 
radiusGroupName by something else such as radiusldapgroup ?
d) When I start radiusd -X (ldap_debug = 0x0028 is not commented), I don't see my ldap server returning a group in the output on the screen. I would like to make sure that my groupname_attribute, groupmembership_filter and groupmembership_attribute are correct. How can I see what user's groups are received by the radiusd server ?


Le Mardi 12 novembre 2013 20h37, Alan DeKok <aland at> a écrit :
Mik J wrote:
>> I've managed to set up freeradius with sql.
>> When a user authenticates, the freeradius server returns the nas some
>> attributes.
>  That's fine.
>> Now I'm trying to use openldap to authenticate my user
>> # radtest myuser mypassword 1812 mysecret
>> This command works. The mysecret is stored into the nas table and
>> myuser/mypassword is stored in the openldap server. So I would say that
>> the connectivity with the ldap server works perfectly
>  You shouldn't have to do *anything* else.  The two pieces are independent.
>> But the command doesn't return the attributes I want.
>> In the file sites-enabled/default I have
>> authorize {
>> #files
>> #sql
>> ldap
>  OK... you disabled SQL.  Why?  It was returning attributes.
>  You really seem to be making random changes in the hope that it will
>magically work.  That is entirely the wrong approach.
>> I'm confuse how freeradius will proceed
>> - Search for myuser in the ldap using the account I provided in modules/ldap
>> - Check the users password
>  That's how LDAP works.  You have it working.
>> - Should openldap return the attributes I mentioned above or can this be
>> done with mysql ?
>  You already did this with MySQL.  Why did you change it?
>> - I'd like to return these attributes if myuser belongs to mygroup,
>> mygroup is created in openldap and myuser belongs to mygroup
>> I've seen the section in modules/ldap but I don't know how to test if I
>> configured is correct
>> groupname_attribute = cn
>> groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u))"
>  You can do LDAP group checking via the LDAP-Group attribute.  Put that
>into the MySQL "check" items:
>    LDAP-Group == "name_of_group_to_check"
>  If the group matches, the reply attributes will be returned.
>  Alan DeKok.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list