Granting varied levels of NAS permission based on LDAP group membership

Michael Ströder michael at
Fri Apr 22 15:57:36 UTC 2022

On 4/22/22 14:21, Nick Porter wrote:
> To get a user's nested group membership in the LDAP-Group attribute, you 
> need to use the membership_filter configuration item, rather than 
> membership_attribute, using the appropriate Active Directory extended 
> match filter:
> membership_filter = 
> "(member:1.2.840.113556.1.4.1941:=%{control:${..user_dn}})"

Note that this matching rule only works with MS Active Directory, but 
not with other LDAP servers.

Not sure whether the original poster uses MS AD.

Ciao, Michael.

More information about the Freeradius-Users mailing list