Group checking in LDAP module

Alan DeKok aland at
Mon Jan 6 18:02:29 CET 2020

On Jan 5, 2020, at 12:21 PM, uj2.hahn at wrote:
> Hi, I have some (probably) basic questions how to deal with Group checks in LDAP module.
> I setup LDAP with OpenLDAP and authorization works fine. Now I want to extend functionality by some group related post-auth checks.
> Each user is a member of a group. Some users are members of more than one group.
> freeradius -X shows me the following lines:
> (0) ldap: Group DN "cn=lehrer,ou=groups,dc=kms,dc=de" resolves to name "lehrer"
> (0) ldap: Resolving group DN "cn=gast,ou=groups,dc=kms,dc=de" to group name
> (0) ldap: Performing unfiltered search in "cn=gast,ou=groups,dc=kms,dc=de", scope "base"
> (0) ldap: Waiting for search result...
> (0) ldap: Group DN "cn=gast,ou=groups,dc=kms,dc=de" resolves to name "gast"
> (0) ldap: Adding cacheable user object memberships
> (0) ldap: &control:LDAP-Group += "lehrer"
> (0) ldap: &control:LDAP-Group += "gast"

  Note: two "LDAP-Group" attributes.

> This is all fine because the user belongs to two groups.
> My assumption is, that control:LDAP-Group now contains both group names, e.g. "lehrer gast".
> For debugging purposes I output the value as reply message in the post-auth section.
> But logfile says:
> (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
> (0) post-auth {
> (0) update reply {
> (0) EXPAND %{control:LDAP-Group}
> (0) --> lehrer

  Which is the first one.  Because %{control:LDAP-Group} only gets the first one.  See "man unlang".

> (0) Reply-Message := lehrer
> Here the output is just the first group name, the other one is missing.
> Why is that?

  If you want both, you should use %{control:LDAP-Group[*]}.  Again, see "man unlang".

> ------------------------------------------------------------------------------------------------------------------------------------
> And there is a second question:
> LDAP module has a check filter in the group section :
> membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
> During run time this filter does not generate any output:
> (0) ldap: EXPAND (&(objectClass=groupOfNames)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> (0) ldap: --> (&(objectClass=groupOfNames)(|(member=uid3duhahn2cou3dpeople2cdc3dkms2cdc3dde)(memberUid=uhahn)))
> (0) ldap: Performing search in "ou=people,dc=kms,dc=de" with filter "(&(objectClass=groupOfNames)(|(member=uid3duhahn2cou3dpeople2cdc3dkms2cdc3dde)(memberUid=uhahn)))", scope "sub"
> (0) ldap: Waiting for search result...
> (0) ldap: Search returned no results

  That seems clear.  The filter doesn't return any results.

> (0) ldap: No cacheable group memberships found in group objects
> This is strange. When I run ldapsearch with same filter I do get results:
> ldapsearch -x -LLL -H ldap:/// -b dc=kms,dc=de  -s sub "(&(objectClass=groupofnames)(|(member=uid=uhahn,ou=people,dc=kms,dc=de)(memberUid=jhahn)))"

  Does the RADIUS server have permission to read those attributes.  See mods-available/ldap in recent releases.  It has complete instructions for running ldapsearch.

  Alan DeKok.

More information about the Freeradius-Users mailing list