Matching multiple LDAP-groups during post-auth

Alan DeKok aland at
Wed May 19 17:30:46 CEST 2021

On May 19, 2021, at 9:48 AM, Chris Wopat <me at> wrote:
> Digging up this thread as I finally am testing with FreeRADIUS 3. I've
> ported our config over for ldap, things working great in testing.

  That's good.

> However, I'd like to re-address my last note, which was with the
> pseudocode of if/else + if/else, we still get a reject.

  That happens if none of the LDAP groups match, and your force a reject.

> Due to my brain comprehending output of `radiusd -X` in v3 *much*
> better, what appears to be happening is there's never an explicit
> 'Accept' with the method suggested at:

  There's never an explicit accept, because you told it to reject.

  If you don't tell it to reject the user, AND the user has a good password, the server sends Accept.

> In that case, if a member of 'network 1' and 'optical 1', it
> authenticates. If a member of one but not the other,
> Local-Reject-Check is populated and it will always reject.

  Likely because that's the way you wrote the rules.

> Below is a
> snippet when one is a member of 'network*' group but not 'optical*'
> group (omitted the network* stuff)

  Post the FULL debug output.  This should be your default.

  You're asking us to help debug things, but only giving a tiny bit of the output.  That is very much unhelpful.

> I feel as though there's a much simpler answer to both of those, but I
> can't see the forest for the trees.

  Post the FULL debug output.

  Alan DeKok.

More information about the Freeradius-Users mailing list