Freeradius with openldap

Alan DeKok aland at
Wed Nov 13 21:10:21 CET 2013

Mik J wrote:
> I disabled SQL because I assumed radiusd shouldn't look into the
> radcheck table to perform an authentication since I wanted to use LDAP.

  That's your problem in a nutshell.  You *assume* how things work.  You
don't *understand*.

  There's a huge difference between the two.  The difference is why
you're having problems.

> To me it's a bit strange that radiusd will query this table everytime
> knowing that it won't be used because the authentication is based on LDAP.

  Do you understand the difference between SQL and LDAP databases?  Or
the difference between the information FreeRADIUS gets from SQL and from

> To make my tests I have:

  Maybe that works.  I don't know, because you have divided the problem
into pieces, and tested each piece.  You're doing lots of things all at
the same time.

> Unfortunately
> # radtest myuser mypassword 1812 mysecret
> doesn't send me the attributes. I received rad_recv: Access-Accept though

  So... you ran the server in debugging mode, but didn't bother to look
at the output.  Instead, you're only looking at the output of radtest.

  Do you want to solve the problem?  If so, why are you trying HARD to
avoid solving it?

> I have a few questions:

  So do I.

  Why am I answering your questions when you're not following
instructions?  You've followed some, sure.  But the main one is to READ
the output of debug mode, or at least post it here.

  You're not doing that.

> a) My users are sitting in my ldap server and not in mysql so I'm not
> supposed to have a Fall-Through entry in the radreply table for myuser.
> Right ? And should I have read_groups=yes in sql.conf (section authorize
> {) ?

  How about you read doc/rlm_sql?  This is documented.

  I could cut & paste the answer here.  But if you're too lazy to read
the docs, I'm too lazy to cut & paste them here.

> b) In /etc/raddb/sites-enabled/default, is the order important: first
> sql then ldap (default) or should it be first ldap then sql.

  What do the docs say?

> I've
> noticed the debug output is different when I change the order.

  So you do read it... you just don't pay much attention to it.

> The reason is that, the user credential should be checked against ldap
> first and then according to its group the attributes should be sent by
> radiusd. That's why I tried to put ldap before sql
> c) I'm very confused about the line "groupmembership_attribute =
> radiusGroupName". Should I replace
> radiusGroupName by something else such as radiusldapgroup ?

  You should definitely NOT make random changes.  It's clear you don't
understand how it works.  That's OK, but you should be asking questions
about HOW it works, rather than looking for magical solutions.

> d) When I start radiusd -X (ldap_debug = 0x0028 is not commented), I
> don't see my ldap server returning a group in the output on the screen.

  It doesn't.  It's not supposed to.

> I would like to make sure that my groupname_attribute,
> groupmembership_filter and groupmembership_attribute are correct. How
> can I see what user's groups are received by the radiusd server ?

  You don't.  You use the LDAP-Group == "name" check, and the server
does LDAP queries to see if the user is a member of that group.

  Again, you're stuck in magical thinking.  You believe some random
change will make it all magically work.

  It won't.  You need to UNDERSTAND how it works.  How the pieces work
together.  Only then will you be able to create a solution.

  Alan DeKok.

More information about the Freeradius-Users mailing list