FR 3.0.1 and LDAP group membership

Brendan Kearney bpk678 at
Tue May 27 19:55:18 CEST 2014

On Tue, 2014-05-20 at 06:39 +0100, Arran Cudbard-Bell wrote:
> On 20 May 2014, at 02:03, Brendan Kearney <bpk678 at> wrote:
> > i want to authenticate users against my kerberos instance (working now),
> > and authorize them based on LDAP group memebership.  i am stuck getting
> > authorization working, because i must be missing something fundamental.
> > 
> > i copied mods-available/ldap to mods-available/ldap.orig and made the
> > following edits:
> > 
> > changed "server" to
> > changed "identity" and "password" to cn=Manger,dc=my-domain,dc=com, and
> > the corresponding password.
> > changed "base_dn" to ou=Users,dc=bpk2,dc=com
> > commented out control:Password-With-Header	+= 'userPassword' as LDAP
> > will not be managing any passwords
> > changed filter from objectClass=posixGroup to groupOfNames
> > changed membership_filter to be member= and not memberUid= in the second
> > OR'd condition
> > uncommented filter="(objectclass=radiusprofile)"
> > 
> > i have created a group in the DIT called netEngineers, added my ID to
> > the group, added the radiusprofile object class and added a
> > radiusreplyitem of "Cisco-AVPair = "shell:priv-lvl=15"" to the group.
> Groups don't return replyItems only profiles do. Groups are only 
> used for checking membership, they cannot contain attributes themselves.
> Note that your profile attribute could be the same as your group
> attribute i.e. memberOf, in which case you'd just need to add the
> group objects to the radiusprofile object.
> > i have added the radiusprofile object class to my id and added the
> > radiusgroupname attribute, and the value "netEngineers" to the
> > attribute.
> You still have 'attribute' commented out in the profile section.
> How will it know which attribute contains profiles?
> > when i run radiusd -X and then radtest, i run a packet capture.  the
> > capture does not show the radiusreplyitem being replied back.  it seems
> > that i am not properly configuring the group checking, but dont know
> > where i am going wrong.  where am i going wrong?
> You're meant to check for individual groups. They're not meant to be 
> container objects for attributes.
> Your policy should contain something like
> if (LDAP-Group == 'foo') {
> 	bar
> }
> If you want to check for specific group memberships, but I don't think
> that's what you're trying to do.
> -Arran
> Arran Cudbard-Bell <a.cudbardb at>
> FreeRADIUS Development Team
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
> -
> List info/subscribe/unsubscribe? See

backing up a bit...

users, groups and profiles.

i want to have a group that i add users to, and when users are added to
that group, they inherit radius attributes which allow them access to a
resource.  the means would be the value of a radiusreplyitem.

i have created a user, uid=brendan,ou=Domain
i have created a group, cn=netEngineers,ou=Domain
i have created a profile,
the profile has a radiusreplyitem with a value of Cisco-AVPair =

how do i go about tying group membership to the profile (or vice versa,
if that is what i am supposed to do)?

i have uncommented the attribute line in the profile section, and
changed its value to memberOf.  i see in a capture that the groups i am
a member of are queried for the radiusprofile objectclass.  the
netEngineers group has that objectclass and a radiusprofiledn attribute
pointing to the profile that has the radiusreplyitem.  i do not see the
query for the profile or the radiusreplyitem string in the radiusd -X
output or in the radtest output.  what are the appropriate ways of tying
this all together?

thanks, brendan

More information about the Freeradius-Users mailing list