LDAP group checking stopping before the whole group list is checked

Ian Pilcher arequipeno at gmail.com
Mon Jun 10 16:55:24 CEST 2019

On 6/10/19 7:20 AM, Adam Bishop wrote:
> I'm having an issue with ldap group checking where FreeRADIUS appears
> to bail out early if it encounters a group DN it can't resolve.

I ran into this exact issue.

> Can I get it to continue reading the list of groups if it fails to
> resolve one, or is this intended (or something I've screwed up in the
> config)?

Check the comments for group/membership_attribute in

   # Unless a conversion between group name and group DN is
   # needed, there's no requirement for the group objects
   # referenced to actually exist.

I was able to prevent radiusd from trying to resolve the group by using
the group's complete DN in sites-available/default, rather than just the
group name.

So instead of:

   if (LDAP-Group == "lab_admins") {
       update reply {
           Cisco-AVPair := "shell:priv-lvl=15"

I have:

   if (LDAP-Group == "cn=lab_admins,cn=groups,cn=accounts,dc=...") {
       update reply {
           Cisco-AVPair := "shell:priv-lvl=15"

> (3)  Debug:     if (&LDAP-Group[*] == "%{client:ldap_group}") {
> (3)  Debug:     EXPAND %{client:ldap_group}
> (3)  Debug:        --> switching-admins

If you can get %{client:ldap_group} to expand to the group's full DN
(or even manually "munge" it) radiusd shouldn't try to resolve the


Ian Pilcher                                         arequipeno at gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------

More information about the Freeradius-Users mailing list