Hi Alexander,
Thank you for yourquick reply and sorry i very new with freeradius.
I did:
- Changing in /etc/raddb/sites-enabled/default and   /etc/raddb/sites-enabled/inner-tunnel
      -ldap
to:
       ldap
        if ((ok || updated) && User-Password) {
            update {
                control:Auth-Type := ldap
            }
        }

- /etc/raddb/mods-enabled/ldap
ldap {
        server = 'ldapserver.example.com'
        #       port = 389       
        #       password = mypass
         base_dn = 'cn=users,cn=accounts,dc=example,dc=com'
}

user {
        base_dn = "${..base_dn}"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        #               scope = 'sub'
        #               sort_by = '-uid'
        #               access_attribute = 'dialupAccess'
        #               access_positive = yes
}
group {
           base_dn = "${..base_dn}"
           filter = '(objectClass=posixGroup)'
           scope = 'sub'
           name_attribute = cn
           membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"              
            membership_attribute = memberOf
            cacheable_name = 'yes'
            cacheable_dn = 'yes'
            #               cache_attribute = 'LDAP-Cached-Membership'
}

To test  user i did:
# radtest ttest2 password ldapserver.example.com 1812 secretkey

Thanks,

 
      


On Tue, Mar 12, 2019 at 2:06 PM Alexander Bokovoy <abokovoy@redhat.com> wrote:
On ti, 12 maalis 2019, Boudjoudad Abdelkader via FreeIPA-users wrote:
>Hi,
>I'm trying to check if user is in a given group name in LDAP but it doesn't
>work, here is the configuration:
>- vi /etc/raddb/mods-enabled/ldap

How do you connect to the LDAP server? You need to use authenticated
bind to see member attributes.

>ldap {
>...
>base_dn = 'cn=users,cn=accounts,dc=server,dc=example,dc=com'
>...
>}
>group {
>base_dn = "${..base_dn}"
>filter = '(objectClass=posixGroup)'
>scope = 'sub'
>name_attribute = cn
>membership_filter =
>"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
>membership_attribute = memberOf
> cacheable_name = 'yes'
> cacheable_dn = 'yes'
># cache_attribute = 'LDAP-Cached-Membership'
>
>The result:
>rlm_ldap (ldap): Reserved connection (2)
>(0)     Using user DN from request
>"uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com"
>(0)     Checking for user in group objects
>(0)       EXPAND
>(&(cn=ipausers)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
>(0)          -->
>(&(cn=ipausers)(objectClass=posixGroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3com)(memberUid=ttest2)))
>(0)       Performing search in
>"cn=users,cn=accounts,dc=server,dc=example,dc=com" with filter
>"(&(cn=ipausers)(objectClass=posixGroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3dcom)(memberUid=ttest2)))",
>scope "sub"
>(0)       Waiting for search result...
>(0)       Search returned no results
>(0)     Checking user object's memberOf attributes
>(0)       Performing unfiltered search in
>"uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com", scope "base"
>(0)       Waiting for search result...
>(0)     No group membership attribute(s) found in user object
>
>What i'm  missing ?
>Thanks,

>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
>Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland