Active Directory authenticated VPN

Michael Ströder michael at
Fri May 7 12:57:17 CEST 2021

On 5/7/21 12:09 PM, Pisch Tamás wrote:
> With 'no' the authentication and authorization works... with a little flaw:
> it accepts users who is not in vpnusers group.

Well, then start from this config.

> With 'yes', or with 'allow_sasl_over_tls' I get "Strong(er) authentication
> required".

I guess authentication was not successful in this case because you don't
use simple bind (see my last message).

> With these settings in the ldap module:
> ldap{
>   server = 'localhost'
>   identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu'
>   password = '...'
>   base_dn = 'dc=ad,dc=ourdomain,dc=hu'
>   group {
>     membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})'

membership_attribute shall only contain an LDAP attribute name, e.g.
'memberOf' if appropriate in your deployment.

> I tried to set up filtering according to
> Changes in ldap module:
> ldap{
>   groupmembership_filter =
> "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
>   membership_attribute = 'memberOf'

Note that 'memberOf' is a user attribute, not an attribute of the group

With the approach above you have to use membership_attribute = 'member'.

> I checked with ldapsearch:
> ldapsearch -x -b "cn=Users,dc=ad,dc=ourdomain,dc=hu" -D
> "cn=vpn,cn=Users,dc=ad,dc=ourdomain,dc=hu" -h localhost -W
> "(&(cn=vpnusers)(|(&(objectClass=group)(member=CN\3dvpn\2cCN\3dUsers\2cDC\3dad\2cDC\3dourdomain\2cDC\3dhu))))"
> It gives the vpnusers object as a result.

Can't you see the difference?

In the group filter you're correctly using attribute 'member' as
assertion type, not 'memberOf'.

Ciao, Michael.

More information about the Freeradius-Users mailing list