Nasser Heidari


Freeradius – Problem with rlm_perl

Filed under: Linux — Nasser Heidari @ 13:46

There is a problem in debian/ubuntu that when you use rlm_perl module, freeradius will fail to start.

root@debian:/etc/freeradius# /etc/init.d/freeradius restart
Stopping FreeRADIUS daemon: freeradius/var/run/freeradius/ not found….
Starting FreeRADIUS daemon: freeradiusCan’t load ‘/usr/lib/perl5/auto/DBI/’ for module DBI: /usr/lib/perl5/auto/DBI/ undefined symbol: PL_memory_wrap at /usr/lib/perl/5.10/ line 192.
at /usr/lib/perl5/ line 265
BEGIN failed–compilation aborted at /usr/lib/perl5/ line 265.
Compilation failed in require at /etc/freeradius/ line 2.
BEGIN failed–compilation aborted at /etc/freeradius/ line 2.


after a little googleing I find out solution, all you need is to preload perl library:

LD_PRELOAD=/usr/lib/ /usr/sbin/freeradius -X

Note: you will need to find out your perl library path:
# find /usr/lib/ -name “*”

you also need to update your init script just like this :

LD_PRELOAD=/usr/lib/ start-stop-daemon –start –quiet –pidfile $PIDFILE –exec $PROGRAM — $FREERADIUS_OPTIONS ……


Freeradius – check nested ldap group membership

Filed under: Linux — Nasser Heidari @ 15:23
Tags: ,

if your organization have lots of users and groups , you also may use nested groups.
for example, UserA is a member of SalesGroup, and SalesGroup is a member of VPN_Group.
I want all members of VPN_GROUP able to connect to VPN Server. if you use normal groupmembership_filter in your ldap module , then UserA will not be able to authenticate as he is not a member of VPN_Group.
If you need such thing , then the only way (that I know) is making use of active directory Matching rule OID (LDAP_MATCHING_RULE_IN_CHAIN).

I made it work using following group membership query in ldap module:

groupmembership_filter = "(&(objectcategory=group)(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn}))"

read more here about ldap search filters.