[802.1X] FreeRADIUS OpenLDAP

Christian VAN DER ZWAARD christian.van-der-zwaard at bedrockstreaming.com
Mon Feb 1 15:47:42 CET 2021

Hello everyone,

I'm using an LDAP directory to store my user accounts and groups. For each
group I created a radiusObjectProfile to store the required attributes to
assign a VLAN to the user.
A user can't be in more than 1 group. My profiles are stored in
*cn=group1,ou=profiles,ou=radius,dc=company,dc=com*, each profile's *common
name* matches the corresponding group name.

How can I configure my LDAP module to get the right profile depending on
the user's group?

I tried it this way:

*profile {                filter = '(objectclass=radiusprofile)'
    default = "cn=%{LDAP-Group},ou=profiles,ou=radius,${..base_dn}"*

But it does not work...
Here is Freeradius's output:
*(0) ldap: EXPAND cn=%{LDAP-Group},ou=profiles,ou=radius,*dc=company,dc=com

*(0) ldap:    --> cn=,ou=profiles,ou=radius,dc=jdl-network,dc=local(0)
ldap: Performing search in "cn=,ou=profiles,ou=radius,*dc=company,dc=com

*" with filter "(objectclass=radiusprofile)", scope "base"(0) ldap: Waiting
for search result...(0) ldap: ERROR: Failed performing search: Invalid DN
syntax(0) ldap: ERROR: Server said: invalid DN.*

Obviously, using *%{LDAP-Group}* won't work if the variable has no value..

Do you have any idea how I can get the user's group?
Is there a way to extract the group name from the dn (

Thank you very much for your help.
Kind regards


More information about the Freeradius-Users mailing list