[EXT] Fetching memberOf attribute

Matvey Teplov matvey.teplov at nomios.nl
Thu May 15 13:23:01 UTC 2025 

Hi Brian,

How do you define ldap_ad-LDAP-Group?

Best regards Matvey Teplov
+31 62 705 12 73
________________________________
From: Brian Julin <BJulin at clarku.edu>
Sent: 15 May 2025 15:02
To: freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org>
Cc: Matvey Teplov <matvey.teplov at nomios.nl>
Subject: Re: [EXT] Fetching memberOf attribute

[You don't often get email from bjulin at clarku.edu. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

Matvey Teplov via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:

> Hi Guys,

> I cannot get the ldap module to fetch a memberOf attribute from AD - it is not putting it
> as a filter parameter in the LDAP search packet. I need this list later to search through for
> port-authentication phase through the groups in session-state:LDAP-Group[*]'s to identify
> which ones are present and return a proper VSA. The LDAP configuration is as follows:

We use this, because it searches the group membership hierarchy so nested groups work:

    user {
     ...
      filter = "(&(objectClass=user)(sAMAccountName=%{Stripped-User-Name}))"
      scope = 'sub'
    }
    group {
     ...
      scope = 'sub'
      filter = '(objectCategory=group)'
      membership_filter = "(member:1.2.840.113556.1.4.1941:=%{&control:Ldap-UserDN})"
     ...
   }

You can thank Microsoft for the ugly OID, as far as I know it has no textual alias.

then:

if (&ldap_ad-LDAP-Group[*] ==  "whatever")

...that statement will be true if any one of the users groups, including groups inherited from other groups, is "whatever", no need for a for loop unless you need to do something fancy.

Do note that if you have a lot of groups in the OU the search will not be especially efficient, it will even rummage through your printers and whatnot.  We made a new OU for the top level RADIUS groups and then could put groups from our other OUs inside those groups to reduce the scope of the search to just users.

More information about the Freeradius-Users mailing list