> >> rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=mem > >> users,dc=mem-ins,dc=com' radius_xlat: > >> '(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM > >> Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM > >> Users,DC=mem-ins,DC=com)))' rlm_ldap: ldap_get_conn: Checking Id: 0 > >> rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mem > >> users,dc=mem-ins,dc=com, with filter > >> (&(cn=MEMVPNFlex)(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM > >> Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM > >> Users,DC=mem-ins,DC=com)))) rlm_ldap: object not found or got ambiguous > >> search result rlm_ldap: ldap_release_conn: Release Id: 0 > >> rlm_ldap::ldap_groupcmp: Group MEMVPNFlex not found or user is not a > >> member. > >> users: Matched DEFAULT at 166 > > > >The user was not found in that group, based on the lookup above. > > The user is a member of the MEMVPNFlex group in AD >
Above is what your ldapsearch looks like and it didn't find the user in that group. You need to modify the group search syntax to the point where it will find your user in the group. Or if the user you are binding with doesn't have read access on the groups, you need to assign it to that user. For example, if you were using ldapsearch from the command line, how would you search for group members? Does running that search above from the command line, binding with the same user, find the user in the group? I don't have access to an AD directory right now to get a view into their ldap implementation and see what groups look like. But you should view the AD directory with some kind of ldap viewer and take a look at the groups. Perhaps the objectclass is wrong and AD doesn't use GroupOfNames? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
