LDAP groups and how to filter

Matthew Newton mcn at freeradius.org
Wed Feb 12 11:29:25 CET 2020

On Tue, 2020-02-11 at 23:53 +0000, Daniel Oakes wrote:
> Thanks that definitely got me a lot closer – but for some reason I’m
> not getting an expansion of the groups, so suspect that it’s probably
> something to do with the bind user:

Don't try and enumerate all the groups in FreeRADIUS. Configure the
LDAP module correctly and then use unlang to check groups, similar to
how you posted earlier.

if (LDAP-Group == "LDAP Group One") {
        update reply {
		Fortinet-Group-Name := 'group1'
elsif (LDAP-Group == "LDAP Group Two") {
        update reply {
		Fortinet-Group-Name := 'group2'
(....) {

There are two ways you can check LDAP group membership. Most efficient
is normally to use the "memberOf" attribute, see "membership_attribute"
in mods-available/ldap. This is a virtual attribute maintained by the
LDAP server for each entry with a list of all the groups that entry is
a member of. Not all LDAP servers provide it, or it might not be

The alternative is to use a filter and look for all groups that contain
"member={search DN}". This may be slower, but should be supported on
all LDAP servers. See "membership_filter" in the ldap config.

In both cases, you need server permission to be able to either read all
relevant groups (membership_filter), or the memberOf attribute

So, like Alan said, use `ldapsearch` to do the search to check that
FreeRADIUS can get the result, then configure the group member options
in LDAP as required and use the special LDAP-Group attribute above to
do the checking. Don't try and enumerate group memberships in unlang,
the module does the checking for you. Using &LDAP-Group[*] is likely
the wrong approach.

There's a lot more at https://wiki.freeradius.org/modules/Rlm_ldap


More information about the Freeradius-Users mailing list