LDAP groups and how to filter

Daniel Oakes daniel at 2600hz.com
Wed Feb 12 23:24:51 CET 2020

Many thanks – that was the kicker – adding the cacheable_name menat the groups ended up in the response and the unlang works!


From: Freeradius-Users <freeradius-users-bounces+daniel=2600hz.com at lists.freeradius.org>
Date: Thursday, 13 February 2020 at 10:58 AM
To: freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org>
Subject: Re: LDAP groups and how to filter
And you should enable cacheable_name or cacheable_dn (=yes)  if not done

On 12.02.2020 22:54, Alan DeKok wrote:
> On Feb 12, 2020, at 3:21 PM, Daniel Oakes <daniel at 2600hz.com> wrote:
>> So your first query works, but returns A LOT:
>> ldapsearch -D 'uid=admin,cn=users,cn=accounts,dc=server,dc=domain,dc=net' -w<password>' -h localhost -s sub '(objectclass=posixAccount)' -b 'uid=doakes,cn=users,cn=accounts,dc=server,dc=domain,dc=net'
>    Which is asking for *all* of the user information.  Not just groups.
>> ...
>> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=server,dc=domain,dc=net
>> memberOf: cn=employees,cn=groups,cn=accounts,dc=server,dc=domain,dc=net
>> memberOf: cn=ops_training_wheels,cn=groups,cn=accounts,dc=server,dc=domain,dc
>> =net
>>>    Those are the groups.
>> Much output later.
>> So that works – I’m struggling with how that translates to the group filter.
>    In recent versions of the server, see mods-available/ldap.  It shows a sample of the query to use when asking for groups:
>        #  Group membership can be queried by using the above "ldapsearch" string,
>        #  and adding "memberof" qualifiers.  For ActiveDirectory, use:
>        #
>        #    ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))'
>   That's for AD "samaccountname".  But you can modify that for your LDAP server.
>> My mods-enabled/ldap has an identity and password configured in the ldap section.
>> My base_dn is ‘cn=accounts,dc=server,dc=domain,dc=net’
>    That's all good.
>> In the group section I change the filter to '(objectClass=posixAccount)' and uncommented scope = ‘sub’
>> Currently the membership filter is the default of :
>> membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name
>> }:-%{User-Name}}))"
>> How is that modified to handle that above query so I get the groups?
>   It should pretty much just work.  Follow the documentation in the most recent versions of the server.
>    If you're running something from 5 years ago, well, the documentation has been updated.
>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list