group authorization

Alan DeKok aland at
Wed Mar 26 00:47:05 CET 2014

Brendan Kearney wrote:
> i have edited that file, and played with everything i can think of, or
> can find to try getting this working.

  That is entirely the wrong approach.  You don't "play" with things, or
randomly edit files.  You update the LDAP "filter" item with the LDAP
query string you want to use.

  You know the query string, why not use it in the "filter" configuration?

> for some reason the radiusReplyItem specified as an attribute of the
> groupOfNames is not being returned to the radius instance:
> [ldap] looking for reply items in directory...
> ...
> the output should be:
> [ldap] looking for reply items in directory...
>   [ldap] extracted attribute Cisco-AVPair from generic item Cisco-AVPair
> = "shell:priv-lvl=15"

  Yes, that should be there.  Unless it can't find the reply items in
the LDAP directory.  Then it won't find then... and it won't print out
the debug message saying that it found them.

> i dont know what i should be changing to have the correct query done
> from the radius side, so that ldap responds with what it already is
> configured to respond with.

  That sentence doesn't make sense.

  Alan DeKok.

More information about the Freeradius-Users mailing list