Microsoft AD group check

Marek Smoliński marksmol at
Mon Jan 13 08:39:12 CET 2020

I'm sorry about that. Not always more means better ;)
In the future, I will try to describe the problem with greater care.

coming back to the topic. You made me realize that in various packets I have a cache and checking the condition, I moved the condition from /sites-enabled/default to /sites-enabled/inner-tunnel and changed the condition to:

if (&control:LDAP-Cached-Membership[*] =~ /.*VLAN130_.*/) {

in this configuration, the FR works as I wanted.

Alan, Arran... thank you very much for your help

Marek Smoliński

Od: Alan DeKok
Wysłano: poniedziałek, 13 stycznia 2020 01:00
Do: FreeRadius users mailing list
Temat: Re: Microsoft AD group check

>On Jan 12, 2020, at 4:38 PM, Marek Smoliński <marksmol at> wrote:
> This message is visible at server startup with the freeradius -XXX command
> (9)       Checking user object's memberOf attributes
> (9)         Performing unfiltered search in "CN=A0700-GARWOLIN,OU=stacje_robocze,OU=Siedlce,DC=domena,DC=AD", scope "base"
> (9)         Waiting for search result...
> (9)       Processing memberOf value "CN=VLAN130_SIEO1,OU=stacje_robocze,OU=Siedlce,DC=domena,DC=AD" as a DN
> (9)         Resolving group DN "CN=VLAN130_SIEO1,OU=stacje_robocze,OU=Siedlce,DC=domena,DC=AD" to group name
> (9)         Performing unfiltered search in "CN=VLAN130_SIEO1,OU=stacje_robocze,OU=Siedlce,DC=domena,DC=AD", scope "base"
> (9)         Waiting for search result...
> (9)         Group DN "CN=VLAN130_SIEO1,OU=stacje_robocze,OU=Siedlce,DC=domena,DC=AD" resolves to name "VLAN130_SIEO1"
> rlm_ldap (ldap): Released connection (0)
> (9)       User is not a member of "VLAN129"
> (9)       elsif (LDAP-Group == VLAN129)  -> FALSE
> (9)       elsif (LDAP-Cached-Membership[*] =~ /.*VLAN130_.*/) {
>       this is where the message appears - No old matches
 > That message doesn't appear anywhere in the debug output.
 > PLEASE describe errors correctly.  DO NOT re-phrase errors in your interpretation of >what they mean.  DO copy the errors verbatim from the debug output to the mailing list.
>  And where is the LDAP-Cached-Membership attribute coming from?  We can read the >debug output, but we can't read your mind.  What did you change to add it.  Why?
 > This process is not productive.  If we're going to help you, we need to get a CORRECT and >CLEAR description of the problem.  The more time you waste doing something else, the >longer it takes to fix the problem.
>  Alan DeKok.
>List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list