Freeradius + Ldap - Authorise OK but NO dynamic VLANs

Matthew Newton mcn4 at
Tue Aug 23 17:08:53 CEST 2016

On Tue, Aug 23, 2016 at 04:47:53PM +0200, Matthew Pulis wrote:
> This is slapcat (section ttester3):
> dn: cn=ttester3,cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local
> sn: Testing
> cn: ttester3
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: top
> structuralObjectClass: inetOrgPerson
> entryUUID: 42d2e1a8-fd6e-1035-856f-63ec2ba52e12
> creatorsName: cn=admin,dc=seminary,dc=local
> createTimestamp: 20160823111245Z
> userPassword:: e1NTSEF9NExWWWZkcjNEN01WZTE4WVhRdytBaXhWOVhkYjJwbGM=
> uid: ttester3
> description: Authenticated at 2016-08-23 13:27:32
> entryCSN: 20160823112732.246710Z#000000#000#000000
> modifyTimestamp: 20160823112732Z
> memberOf: cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local

OK, so memberOf is there.

> modifiersName: cn=admin,dc=seminary,dc=local

...but your debug output shows it can't be found:

> (0)     Checking user object's memberOf attributes
> (0)       Performing unfiltered search in "cn=ttester3,cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local", scope "base"
> (0)       Waiting for search result...
> (0)     No group membership attribute(s) found in user object

which would indicate there is a permission error - the user you
are binding as doesn't have access to read the memberOf attribute.

I don't think slapcat cares about permissions (so it can read
everything)? - so not as helpful as ldapsearch.

When the ldapsearch command I sent earlier (or similar) returns
the memberOf attribute, you should be fine. Until then, it's an
OpenLDAP config issue and nothing to do with FreeRADIUS.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list