Authenticate users different Domain using LDAP group search

Luis Diaz ldiaz at
Tue Feb 4 13:45:12 CET 2014

Hi there!

Finally I figured it out. The problem lay on the ldap module. We were
trying to authenticate users from different domains using LDAP for group
searching and assigning some attributes.


The ldap module is running two different instances, one instance for the
first domain, second instance for the other one:

ldap domain1 {
                *necessary data for configuring ldap*

ldap domain2 {
                *necessary data for configuring ldap*

Then, reading --> Group Support

I configured the file users as the documentation says: "domain1-Ldap-Group
== " ;nevertheless, ldap search failed. It only searched inside one domain;
consequently, only users from that domain were found.

HOWEVER, I read again and I
found the key.

This sentence made the difference: "Make sure though that the ldap module
is instantiated before the files module so that it will have time to
register the corresponding attribute. One solution would be to add the ldap
module in the instantiate{} block in radiusd.conf"

The problem was that Radius were loading the file users before the ldap
module... so the LDAP attributes were not counting in the process search.

I changed the radius.conf in order to load ldap module before users file.

modules {
        $INCLUDE ${confdir}/modules/
        $INCLUDE eap.conf
        $INCLUDE sql.conf


instantiate {

Finally, the users file config:

DEFAULT domain1-Ldap-Group == "gr_users_wifi"
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id:0 = "X"
DEFAULT domain2-Ldap-Group == "gr_users_wifi_domain2"
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id:0 = "X"

It works!!!

Thanks a lot for the wiki! It was very useful even though sometimes it is
not read enough.

Have a good one,

On Fri, Jan 24, 2014 at 10:20 AM, Luis Diaz <ldiaz at> wrote:

> Hi there!
> First of all, I'd like to thank everybody in this forum for the help you
> provide. This forum has been very helpful for me in order to deploy and
> make my FreeRADIUS server work.
> However, I'm facing a config problem that I couldn't solve just searching
> on this forum. So, I need a little bit of help with it.
> I'm running FreeRADIUS Version 2.2.0 and I've managed to make the server
> work to authenticate users against our AD. I'm using ntlm_auth + mschap +
> ldap. Everything works very fine with domain users. I have no problem.
> I use the ldap module in order to authenticate just some users inside
> specific groups and also, assigning the VLAN dynamically.
> The issue comes when I try to authenticate users from a different domain.
> I highlight that both domains share a trust relationship.
> I read on the forum that just configuring NTLM module adding the trusted
> domain would work, but for the moment, it doesn't work.
> I'll show you part of my config for this purpose:
> NTLM_AUTH Module:
> exec ntlm_auth {
>         wait = yes
>         program = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
> --domain=%{%{mschap:NT-Domain}:-MAIN-DOMAIN}
> --domain=%{%{mschap:NT-Domain}:-TRUSTED-DOMAIN}--challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
> }
> If I exec the command:
> ntlm_auth --request-nt-key --domain=TRUSTED-DOMAIN
> --username=USER-TURSTED-DOMAIN --password=********
> NT_STATUS_OK: Success (0x0)
> As you can see, ntlm module works. However, when the request comes through
> the radius I get a prompt from ldap module saying "object (user) not
> found".
> This is the error from the debug output:
> [ldap] object not found
> rlm_ldap::ldap_groupcmp: search failed
> The user from the trusted domain is inside the same group for users from
> my domain. The ldap search works for user form my domain, but fails when it
> tries to search a user from the trusted domain.
> I guess the problem lies on the ldap module. However, I don't fully
> understand where the config problem can be.
> Any help would be appreciate it very much.
> Thank you so much in advance. And have a great day!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list