FreeRadius LDAP group search fails.

  • 7015129
  • 03-Jun-2014
  • 03-Jun-2014


SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
NetIQ eDirectory


After configuring group membership checking with FreeRadius, this fails with the following messages visible in the FreeRadius log file;

rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group group_name not found or user is not
a member.


Change the default "groupmembership_filter" in the "/etc/raddb/modules/ldap" modules file to the following;

groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"


The default filter included with FreeRadius is incorrect, resulting in the "member" and "uniquemember" fields for the search being blank. The default filter looks as follows;

groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"

The above results in the following incorrect LDAP search to be performed;

rlm_ldap: performing search in o=ldap_context, with filter