Problem with limiting users to group in Active Directory

Alan DeKok aland at
Wed Dec 1 01:27:15 CET 2021

On Nov 30, 2021, at 4:06 PM, Erik Frangež via Freeradius-Users <freeradius-users at> wrote:
> I am still having problems to check if user is member of group... here is cut from logs where is comparison:

  Unfortunately it's difficult to help you here.  FreeRADIUS just uses the same LDAP libraries as ldapsearch.  If both FreeRADIUS and ldapsearch are configured the same, then both will work.  If they're configured differently, then one will work and the other won't work.

> (31) ldap1-vpn-student: EXPAND (sAMAccountName=%{User-Name})
> (31) ldap1-vpn-student:    --> (sAMAccountName=erik.frangez1)
> (31) ldap1-vpn-student: Performing search in "ou=um,dc=loki,dc=um,dc=si" with filter "(sAMAccountName=erik.frangez1)", scope "sub"
> (31) ldap1-vpn-student: Waiting for search result...
> (31) ldap1-vpn-student: User object found at DN "CN=Erik Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si"
> rlm_ldap (ldap1-vpn-student): Released connection (0)
> (31)       [ldap1-vpn-student] = ok
> (31)     } # redundant = ok
> (31)     policy check_ldap_group_vpn {
> (31)       if (&ldap1-student-um-LDAP-Group[*] == "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si") {

  You don't need the [*].  Just:
	if (&ldap1-student-um-LDAP-Group == "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si") {

  It won't change the results from AD, but it won't hurt

> (31)       Searching for user in group "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si"
> rlm_ldap (ldap1-student-um): Reserved connection (0)
> (31)       Using user DN from request "CN=Erik Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si"
> rlm_ldap (ldap1-student-um): Released connection (0)
> (31)       User is not a member of "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si"

  The message is being printed by FreeRADIUS. But the "not found" answer is being returned from Active Directory.

  There's really little more to do, other than change the FreeRADIUS configuration until AD accepts the search.

> If I run ldapsearch we could see that user is member of group, here:

  Is this run on the *same* machine as FreeRADIUS?  With the *same* credentials?

  One common mistake that people make is to use some admin account for ldapsearch, and then an account with less permission for FreeRADIUS.  The FreeRADIUS account then doesn't have permission to view the user entries, and AD returns "not found" instead of "no permission".

  Make sure that the parameters passed to ldapsearch are taken directly from the FreeRADIUS configuration.  If you're doing anything else, you're not testing the right things.

  And yes, this is frustrating.  It's difficult for us to know what else to do.  I've set this up many, many, times.  And it always works after some minor initial testing.  If it's not working for you, it's very difficult to debug via email.

  Alan DeKok.

More information about the Freeradius-Users mailing list