Skip to content

freeradius: add configurable LDAP group membership mode#5430

Open
jkolo wants to merge 1 commit intoopnsense:masterfrom
jkolo:freeradius-ldap-group-membership-mode
Open

freeradius: add configurable LDAP group membership mode#5430
jkolo wants to merge 1 commit intoopnsense:masterfrom
jkolo:freeradius-ldap-group-membership-mode

Conversation

@jkolo
Copy link
Copy Markdown

@jkolo jkolo commented May 8, 2026

Adds group_membership_mode to the LDAP settings (model, form, template):

  • attribute (default): membership_attribute = 'memberOf' — existing behaviour, compatible with POSIX groups and flat LDAP structures.
  • filter: membership_filter with LDAP_MATCHING_RULE_IN_CHAIN OID (1.2.840.113556.1.4.1941) — resolves nested group membership against Active Directory and Samba 4 AD DC in a single LDAP query.

The memberOf attribute reflects only direct memberships, breaking Ldap-Group == checks (e.g. VLAN assignment) when groups are nested. The OID-based filter traverses the full membership chain server-side.

Default is attribute; existing configurations are unaffected.

Tested with Samba 4.24 AD DC and FreeRADIUS 3.2 (os-freeradius plugin).

Important notices

Before you submit a pull request, we ask you kindly to acknowledge the following:

If AI was used, please disclose:

  • Model used: Claude Sonnet 4.6 (Anthropic)
  • Extent of AI involvement: assisted in designing the solution and writing the implementation (template conditional, model field, form field)

Describe the problem

FreeRADIUS hardcodes membership_attribute = 'memberOf' in the LDAP module configuration. The memberOf attribute on a user object reflects only direct group memberships. In Active Directory and Samba 4 AD DC deployments that rely on nested security groups, Ldap-Group == checks (used e.g. for VLAN assignment in 802.1X) silently fail for users who are members only through a parent
group.

Describe the proposed solution

Adds a Group Membership Mode option to the FreeRADIUS LDAP settings page:

  • memberOf attribute (default): existing behaviour, no change for current deployments.
  • member filter: switches to membership_filter using the LDAP_MATCHING_RULE_IN_CHAIN OID (1.2.840.113556.1.4.1941), which instructs the LDAP server to resolve the full transitive membership chain in a single query — compatible with Active Directory and Samba 4.

Related issue

None.

@jkolo
freeradius: add configurable LDAP group membership mode
c5390c5 
Adds `group_membership_mode` to the LDAP settings (model, form, template):

- `attribute` (default): `membership_attribute = 'memberOf'` — existing
  behaviour, compatible with POSIX groups and flat LDAP structures.
- `filter`: `membership_filter` with LDAP_MATCHING_RULE_IN_CHAIN OID
  (1.2.840.113556.1.4.1941) — resolves nested group membership against
  Active Directory and Samba 4 AD DC in a single LDAP query.

The `memberOf` attribute reflects only direct memberships, breaking
`Ldap-Group ==` checks (e.g. VLAN assignment) when groups are nested.
The OID-based filter traverses the full membership chain server-side.

Default is `attribute`; existing configurations are unaffected.

Tested with Samba 4.24 AD DC and FreeRADIUS 3.2 (os-freeradius plugin).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jkolo