FreeRADIUS + Cisco + Active Directory

Mathieu Simon (Lists) matsimon.lists at
Wed Jan 6 13:33:57 CET 2016

Am 06.01.2016 um 13:20 schrieb Phil Mayers:
> On 06/01/16 11:28, Matthew Newton wrote:
>> Exactly. What's wrong with LDAP here?
> Nested groups can be a pain.

They are often, I'd agree. I don't know how much performance penalty
there is for these AD specific queries but I recently got it ported from
a 2.x config I had. The initial thing back then I found was on a blog
from a Nasser Heidari*. The AD in question is by no means large for what
I can tell, thus: YMMV.

This is what used to work for me on 2.1/2.2 in modules/ldap:

groupmembership_filter =

In 3.0 mods-available/ldap I had to split it slightly to:

filter = '(objectCategory=group)'
membership_filter =

Now if this is totally wrong, I'm happy to learn how its done better.
:-) For what I can tell so far all nested memberships were retrieved
when I tried to trick it.

I was actually surprised how much I could easily port from a 2.x config
to 3.0 without much effort, great job! (I know I'm late to game of
FreeRADIUS 3.0). I actually like the changes that were made to the ldap
module so far.

-- Mathieu


More information about the Freeradius-Users mailing list