FreeRadius2 LDAP Group Membership



  • Hi, I'm trying to get LDAP authentication going for specific users in my AD by creating the appropriate filters. The issue is when I try to enable group membership filters I can't seem to get any user to authenticate. Now if I have it disabled, my users in the appropriate OU can authenticate just fine. I ran radiusd -X to get the debug output but there is NO mention of the group membership filter it just denies me.

    
    [ldap] waiting for bind result ...
    [ldap] Bind was successful
    [ldap] performing search in OU=Users,OU=Accounts,OU=Home Network,DC=example,DC=com, with filter (&(objectClass=user)(sAMAccountName=Awesome*))
    [ldap] looking for check items in directory...
    [ldap] looking for reply items in directory...
    [ldap] Pairs do not match. Rejecting user.
    
    

    The above block succeeds with group membership disabled. Attached are my settings for FreeRADIUS. If anyone has any insight as to what I'm missing to get group membership working it would be much appreciated!
    ![LDAP Group Config.png](/public/imported_attachments/1/LDAP Group Config.png)
    ![LDAP Group Config.png_thumb](/public/imported_attachments/1/LDAP Group Config.png_thumb)
    ![LDAP User Config.png](/public/imported_attachments/1/LDAP User Config.png)
    ![LDAP User Config.png_thumb](/public/imported_attachments/1/LDAP User Config.png_thumb)



  • Check your group mappings in

    /usr/local/etc/raddb/ldap.attrmap

    For reference take a look at

    /usr/pbi/freeradius-amd64/local/share/examples/freeradius/raddb/ldap.attrmap

    If you're on a 32 bit system alter the above path accordingly. It can be a pain for non-standard stuff like AD