group membership on LDAP/AD servers

Alan DeKok aland at
Thu Jul 25 14:13:41 CEST 2019

On Jul 25, 2019, at 5:29 AM, Stefano Cailotto [EDALab] <stefano.cailotto at> wrote:
> I'm configuring a server that is connected to a 389ds (ldap) server and to an AD server for authentication and authorization (on AD, authentication is performed through ntlm_auth and authorization, membership checking, through ldap protocol)
> Authorization too works flawlessly if In the authorize section I use only one kind of server (ldap1 (389ds) works for user scailotto, ad_corporate_1 works for stefano.cailotto)

  So you've set up two instances of the "ldap" module?

> The main problem arises when radius tries to match group membership for the user, as it always points to AD server.

  If you have two instances of the LDAP module, you can do group checking on a per-module basis.

  i.e. if you have:

ldap ldap1 {

ldap ad_corporate_1 {

  Then you can do group checking with:

ldap1-LDAP-Group == ...


ad_corporate_1-LDAP-Group == ...

> I tried to play with group statements to force using both servers, but with no success.
> If I understand well debug info, the query is performed starting from the "files" module: the users files contains statements like
> DEFAULT Ldap-Group == "delivery-ip", Huntgroup-Name == "junos-tac"

  LDAP-Goup will just use the "ldap { ... } " module configuration.

  Alan DeKok.

More information about the Freeradius-Users mailing list