Okay, I am a couple steps closer, but still having trouble. My radius server is saying my test user is not in the group I'm filtering for, however I know that it is. My sites-available/default config looks like:
authorize ... ldap if (Ldap-Group == "PWHC Secure Wireless") { update reply { Tunnel-type = VLAN Tunnel-medium-type = IEEE-802 Tunnel-Private-Group-Id = 456 } } ... And my modules/ldap config looks like: ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "adserver.example.com" identity = "cn=admin,ou=users,dc=example,dc=com" password = adminpass basedn = "ou=users,dc=example,dc=com" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" ... And I'm receiving the following log messages: [ldap] performing user authorization for username [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> username [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=username) [ldap] expand: ou=users,dc=example,dc=com -> ou=users,dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to adserver.uark.edu:389, authentication 0 [ldap] bind as cn=netoc,ou=users,dc=example,dc=com/password to adserver.uark.edu:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=users,dc=example,dc=com, with filter (sAMAccountName=username) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user username authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (Ldap-Group == "PWHC Secure Wireless") [ldap] Entering ldap_groupcmp() expand: ou=usersusers,dc=example,dc=com -> ou=users,dc=example,dc=com expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO fUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)( uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=users,dc=example,dc=com, with filter (&(memberOf=PWHC Secure Wireless)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniq ueNames)(uniquemember=)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group PWHC Secure Wireless not found or user is not a member. ? Evaluating (Ldap-Group == "PWHC Secure Wireless") -> FALSE ++? if (Ldap-Group == "PWHC Secure Wireless") -> FALSE It looks to me like it's binding and searching and deciding that I'm not a member of that group, however I know that I am because if I do a command-line ldapsearch it shows that I'm a member of that group. # ldapsearch -x -b 'ou=users,dc=example,dc=com' -h adserver.example.com -D cn=admin,ou=users,dc=example,dc=com -w password 'cn=username' memberOf # extended LDIF # # LDAPv3 # base <ou=users,dc=example,dc=com> with scope subtree # filter: cn=username # requesting: memberOf # # username, Users, example.com dn: CN=username,OU=users,dc=example,dc=com memberOf: CN=PWHC Secure Wireless,OU=PWHC,dc=example,dc=com memberOf: CN=UA: SecondaryAccount,OU=ManagedGroups,OU=Special Accounts,dc=example ,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Can anyone tell me what I'm doing wrong? Thanks, Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html