Freeradius 3.0.12 not processing LDAP control/check items

Alan DeKok aland at
Fri Apr 13 22:47:01 CEST 2018

On Apr 13, 2018, at 4:31 PM, Jan Baumann <freeradius at> wrote:
> I have a well running freeradius 3.0.12 (Debian 9 package) with mysql und openldap backends.

  You should really upgrade.

> Usernames are of course unique and exist either only in ldap or mysql.
> Everything works for ldap and mysql users, except one thing:
> If I add a check-item into mysql radcheck table it works as expected.
> If I add the same item into openldap, it is not taken care of and access is always permitted if the item matches the request or not.

  The comments in raddb/mods-available/ldap explain how the module works.  It says nothing about matching items.

> But... if I add a reply-item to openldap is is delivered as part of the radius access accept message.
> debug output:
> (0) ldap: User object found at DN „uid=jbaumann,ou=people,dc=cyberways,dc=net"
> (0) ldap: Processing user attributes
> (0) ldap: control:Cleartext-Password := '12345'

  That works.

> Radius pulls the NAS-Identifier control item from ldap correctly, but does not reject the request if it does not match.

  Because nothing in the documentation says this is how the LDAP module works.

> For the cleartext password it works.

  Because the PAP module looks at control:Cleartext-Password.

> I don’t see any hints of processing NAS-Identifier in the debug output at all, regardless which operator (=, := or +=) I try.
> It also pulls the Tunnel-Private-Group-ID reply item from ldap and successfully puts it into the reply message.
> So my ldap users can successfully log in with PEAP, but into any wifi SSID. Mysql users are correctly rejected if the NAS-Identifier does not match.
> config of ldap module:
> compare_check_items = yes

  What's that from?  There's no such configuration in v3.

> update {
>         control:Cleartext-Password      := 'userPassword'
>         control:Expiration              := 'radiusExpiration'
>         control:NAS-Identifier          := 'radiusNASIdentifier'

  The documentation is clear on what that does.  It's looking at the "control" list, NOT the request.  It's setting the value based on ":=", not comparing it.

  So even if the LDAP module did compare items (which it doesn't), the above configuration would still be wrong.

> I am trying to fix this for the entire past week, so may I please ask the experts here.
> How are ldap check items meant to be configured and work in freeradius 3? 

  They don't.  There's no documentation which says that this works.

  The good news is that there's a simple fix.  Edit the "authorize" section of the virtual server, and add some text after the line containing "ldap":

	if (control:NAS-Identifier && control:NAS-Identifier != NAS-Identifier) {

  Which I think is what you want.

  Alan DeKok.

More information about the Freeradius-Users mailing list