Authenticating users on LDAP based on Group name

Alan DeKok aland at
Wed Apr 22 21:37:35 CEST 2015

On Apr 22, 2015, at 3:25 PM, Jose Torres-Berrocal <jetsystemservices at> wrote:
> In the current two scenarios both return Access-Accept.

  Yes... it helps to be clear from the *start*.  If you had posted a good description earlier, the problem would have been solved earlier.  By keeping the description secret, you've made it difficult for people to help you.

> But:
> 1. Not using group options if I enter the wrong password the result is
> Reject for any user in the LDAP database, and using the correct password
> the result is Accept for any group.

  What does "not using group options" mean?

> 2. Using group options, result is Reject if does not belong to the group,
> but Accept to the users in the group even if they enter wrong password
> because is not Authenticating.

  What the heck does that mean?  It returns Access-Accept even when it's not authenticating the user?  Just what have you done to butcher the configuration?

> What I need is get a result of Accept only if belongs to the group and
> enter the correct password. In a way I could say that I need to Authorize
> by Group and Authenticate by User.

  No.  Your explanation is *wrong*.  Your use of the terminology is wrong, too.  That's probably why you're having such a hard time solving this problem.  Because you're not using the right words... and you're not understanding the concepts... and your "solution" is based on misunderstanding.

  When you use "ldap" in the "authorize" section, FreeRADIUS will read any password configured for that user.  That password will then be used to authenticate the user.

  I'm presuming that's how you want the server to authenticate users.  Is that right?

  And then what do you want for LDAP groups?  Saying "using group options" is vague to the point of being meaningless.  Say EXACTLY what you mean:

	- I want users in group X to be authenticated, and users in group Y to be rejected.

  Is that it?

  Right now, all I know is that you want to do things with LDAP groups.  Well, that doesn't mean anything.  And it's starting to be frustrating that I'm trying to help you, and you're doing everything EXCEPT give a clear explanation of what you want.

  How about I give you a "solution" which is as vague as your question?  I suggest you do stuff with LDAP groups.  That will fix it!

  Not helpful.

 Alan DeKok.

More information about the Freeradius-Users mailing list