I have an ldap module that I want to force to do group checking. Reading the documentation, it seems that there should be an attribute (I'm assuming control?) that should force that check ? i.e. instance-name-Ldap-Group ..
I notice that the ldap module seems to have group checking disabled by default. I thought that uncommenting the group config below should enable it ? # # Group membership checking. Disabled by default. # groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = radiusGroupName Below is what I have in my authorization section. I update control { ldapADut-Ldap-Group := "cn=chemVLAN,OU=Groups,OU=UofURadius,dc=ad,dc=utah,dc=edu" } ldapADut { notfound = reject } Looking at the debug, it seems that there is no attempt to actually do any group checking ? What am I doing wrong ? Thanks, Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html