Ldap/freeradius gidnumber attribute check issue

David Francisco Rodriguez Perez david.francisco.rodriguez at gmail.com
Thu Sep 3 16:42:35 CEST 2015

HI all

I am using freeradius to do 802.1x authentication (Peap/mschapv2) to an
LDAP (openldap). Freeradius version 2.1.10 in Ubuntu 12.04.  This is a
Proof of Concept so far. The authentication is working fine but I have not
been able to match a group number in order to return a specificattribute.
My directory looks like:

dn: ou=Gente,dc=testexample,dc=com
objectClass: organizationalUnit
ou: Gente

dn: ou=Groups,dc=testexample,dc=com
objectClass: organizationalUnit
ou: Groups

dn: cn=students,ou=Groups,dc=testexample,dc=com
objectClass: posixGroup
cn: students
gidNumber: 5000

dn: uid=david,ou=Gente,dc=testexample,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: radiusprofile
objectClass: sambaSamAccount
uid: david
sn: Rodriguez
givenName: David
cn: David Rodriguez
displayName: David Rodriguez
uidNumber: 10000
gidNumber: 5000
dialupAccess: access_attr
sambaSID: S-1-0-0-201000

So as I read i should use groupmembership_attribute but I did not found a
way to use it. So I put in the dictionary:

ATTRIBUTE GroupNumber 3003    integer

And then I put in the ldap.attrmap file:

checkItem GroupNumber gidNumber

And then I put in the users file:

DEFAULT  GroupNumber == 5000
Filter-Id :="UNP-test"

But I do not see that the match is working. Even I tried to put in the
authorize part of default file

update reply {

            Filter-Id:= %(GroupNumber)
 But it did not expand anything.

So how should I derive the gidNumber in order to return an attribute to the

Thanks a lot,


More information about the Freeradius-Users mailing list