Group checking in LDAP module

uj2.hahn at uj2.hahn at
Wed Jan 8 14:59:48 CET 2020

Hi, Alan!
Thanks a lot for your response.
I did  found out the "+=" operator behavior already before. This is 
pretty different from other
languages I know. Anyway I fixed it with same solution you wrote me.

For the second question (no output from group filter) I found the 
reason. My base DN setting
was incorrect.
Now everything is working fine and I can proceed to next step. I'm 
afraid then I will come up
with new basic questions......


On 06.01.2020 18:02, Alan DeKok wrote:
> On Jan 5, 2020, at 12:21 PM, uj2.hahn at wrote:
>> Hi, I have some (probably) basic questions how to deal with Group checks in LDAP module.
>> I setup LDAP with OpenLDAP and authorization works fine. Now I want to extend functionality by some group related post-auth checks.
>> Each user is a member of a group. Some users are members of more than one group.
>> freeradius -X shows me the following lines:
>> (0) ldap: Group DN "cn=lehrer,ou=groups,dc=kms,dc=de" resolves to name "lehrer"
>> (0) ldap: Resolving group DN "cn=gast,ou=groups,dc=kms,dc=de" to group name
>> (0) ldap: Performing unfiltered search in "cn=gast,ou=groups,dc=kms,dc=de", scope "base"
>> (0) ldap: Waiting for search result...
>> (0) ldap: Group DN "cn=gast,ou=groups,dc=kms,dc=de" resolves to name "gast"
>> (0) ldap: Adding cacheable user object memberships
>> (0) ldap: &control:LDAP-Group += "lehrer"
>> (0) ldap: &control:LDAP-Group += "gast"
>    Note: two "LDAP-Group" attributes.
>> This is all fine because the user belongs to two groups.
>> My assumption is, that control:LDAP-Group now contains both group names, e.g. "lehrer gast".
>> For debugging purposes I output the value as reply message in the post-auth section.
>> But logfile says:
>> (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
>> (0) post-auth {
>> (0) update reply {
>> (0) EXPAND %{control:LDAP-Group}
>> (0) --> lehrer
>    Which is the first one.  Because %{control:LDAP-Group} only gets the first one.  See "man unlang".
>> (0) Reply-Message := lehrer
>> Here the output is just the first group name, the other one is missing.
>> Why is that?
>    If you want both, you should use %{control:LDAP-Group[*]}.  Again, see "man unlang".
>> ------------------------------------------------------------------------------------------------------------------------------------
>> And there is a second question:
>> LDAP module has a check filter in the group section :
>> membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
>> During run time this filter does not generate any output:
>> (0) ldap: EXPAND (&(objectClass=groupOfNames)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
>> (0) ldap: --> (&(objectClass=groupOfNames)(|(member=uid3duhahn2cou3dpeople2cdc3dkms2cdc3dde)(memberUid=uhahn)))
>> (0) ldap: Performing search in "ou=people,dc=kms,dc=de" with filter "(&(objectClass=groupOfNames)(|(member=uid3duhahn2cou3dpeople2cdc3dkms2cdc3dde)(memberUid=uhahn)))", scope "sub"
>> (0) ldap: Waiting for search result...
>> (0) ldap: Search returned no results
>    That seems clear.  The filter doesn't return any results.
>> (0) ldap: No cacheable group memberships found in group objects
>> This is strange. When I run ldapsearch with same filter I do get results:
>> ldapsearch -x -LLL -H ldap:/// -b dc=kms,dc=de  -s sub "(&(objectClass=groupofnames)(|(member=uid=uhahn,ou=people,dc=kms,dc=de)(memberUid=jhahn)))"
>    Does the RADIUS server have permission to read those attributes.  See mods-available/ldap in recent releases.  It has complete instructions for running ldapsearch.
>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list