Access permissions FreeRadius-Google LDAP failed

Jan Sellmann jan.sellmann at
Wed Oct 6 18:20:56 CEST 2021

Hi Benjamin,

looks like you've messed up with the use of the backslashes (\) and 
unintentionally escaped some of the command switches for ldapsearch:

 > root at FreeRadius:~# 
LDAPTLS_KEY=/etc/freeradius/3.0/certs/ldap-client.key \ldapsearch -H 
ldaps:// \ -b dc=foundationacademy,dc=net 
'(mail='benjamin.diehl at')'

You probably wanted to use

"dc=foundationacademy,dc=net" as the search base (-b)
'(mail='benjamin.diehl at')' as the search filter
no special attritbute list

What the server acutally received is:

# extended LDIF
# LDAPv3
# base <> (default) with scope subtree

^an empty search base (so the RootDSE is used as the default) because 
you've escaped the -b option

# filter: (objectclass=*)
^ no specific search filter so the default of any object class is used

# requesting:  -b dc=foundationacademy,dc=net 
(mail=benjamin.diehl at
^ a maleformed attribute list due to the messed up escapes, so the 
server is looking up the attributes:

"(mail=benjamin.diehl at"

which do not exist and therefore the server only responds with the dn of 
the rootDSE node which is what your ldapsearch actually asked for:


(it might look a bit confusing and as if the search didn't return anything)

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

^actually the search for 3 attributes (search: 3) was successful 
(result: 0 Success) and returned 1 entry (numEntries: 1)  - the rootDSE 
"dn: "

Even LDAP is nice sometimes and may tell you what happened (not to the 
extend of freeradius of course ;-)), but as always it takes time to see 
the information is actually there and even more experience to understand it.
Sorry for the lengthy explanation which might be a bit off-topic for 
this list. I still hope it may help you and others with similar problems.

To the concrete problem: eliminate all the backslashes from your 
ldapsearch and try this in one line:

LDAPTLS_KEY=/etc/freeradius/3.0/certs/ldap-client.key  ldapsearch -H 
ldaps:// -b 'dc=foundationacademy,dc=net' 
'(mail=benjamin.diehl at'

and you might get a step further. You will also notice the change in the 
commented output of the search the server will have performed.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5201 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the Freeradius-Users mailing list