Ldap/freeradius gidnumber attribute check issue

Alan DeKok aland at deployingradius.com
Fri Sep 4 23:14:33 CEST 2015

On Sep 4, 2015, at 12:06 AM, David Francisco Rodriguez Perez <david.francisco.rodriguez at gmail.com> wrote:
> So far what I can do at ldapsearch is to look using the gidNumber and I get:
> $ ldapsearch -x -LLL -b ou=Groups,dc=testexample,dc=com
> '(&(objectClass=posixGroup)(gidNumber=5000))'
> dn: cn=students,ou=Groups,dc=testexample,dc=com
> objectClass: posixGroup
> cn: students
> gidNumber: 5000

  The key thing is then to use the same LDAP search in FreeRADIUS.

> So how can I populate Ldap-Group with "students" in this case?

  You don't.  It's done automatically if you have the correct LDAP search filter.

> Now going back to the output below (too big), where I put at the users file
> DEFAULT GroupNumber == 5000
> Filter-Id :="test"

  Don't do that.  You don't need to do it.  You're wasting your time trying to re-implement functionality that already works in FreeRADIUS.

>  When I change that to Ldap-Group="student" I see on the output
> that it tries to query for students but as I do not have objectclass
> GroupofNames it does not work:
> [ldap] performing search in dc=testexample,dc=com, with filter
> (&(cn=students)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
>  [ldap] object not found

  Is that the same filter as you used above for ldapsearch?

  If not, you should use the same filter.

  And test it with radtest first.  That avoids all of the complexity of EAP.

  Alan DeKok.

More information about the Freeradius-Users mailing list