Problem with limiting users to group in Active Directory

Alan DeKok aland at
Sun Nov 28 19:33:33 CET 2021

On Nov 28, 2021, at 12:32 PM, Erik Frangež via Freeradius-Users <freeradius-users at> wrote:
> I am having problems with configuring Radius authentication limiting users to group in Active directory.
> Here is configuration of LDAP:

  We don't need to see that.


> In sites-enabled for radius, I have specify this:

  We don't need to see that, either.

> Authentication is not working. Here are logs:

  Part of the logs. But whatever...

> rlm_ldap (ldap1): Reserved connection (0)
> (392) ldap1: EXPAND (sAMAccountName=%{User-Name})
> (392) ldap1:    --> (sAMAccountName=user)
> (392) ldap1: Performing search in "ou=ou,dc=domain,dc=dc,dc=dc" with filter "(sAMAccountName=user)", scope "sub"
> (392) ldap1: Waiting for search result...
> (392) ldap1: User object found at DN "..."
> rlm_ldap (ldap1): Released connection (0)
> (392)       [ldap1] = ok
> (392)     } # redundant = ok
> (392)     policy check_ldap_group_vpn {
> (392)       if (&ldap1-LDAP-Group[*] == "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc") {
> (392)       Searching for user in group "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc"

  That seems wrong.  "ou=ou,ou=ou,dc=dc,dc=dc,dc=dc"  ?  Why the repetition?

   The default configuration works.  The file mods-available/ldap has detailed instructions for getting it working with Active Directory.

   Follow the instructions, and it should work.

> User is member of group. Same configuration we are having for other domain and its working.

  Is it *exactly* the same?  i.e. with the same  "ou=ou,ou=ou,dc=dc,dc=dc,dc=dc"  repetition?

  Alan DeKok.

More information about the Freeradius-Users mailing list