Hi, I have freeradius 2.1 running on SLES11sp1 (64bit).
I have it comfigured to authenticate to an OES2sp3 server (32bit).

Authentication is working, but I am struggeling to get it to allow/deny based on group membership...

I have a group, say remote.
I have put it in /etc/raddb/users

DEFAULT LDAP-Group!="cn=remote,ou=Groups,o=ABC", Auth-Type:=Reject
Reply-Message="You are not allowed to connect"

But if the user is a member or not I always get a deny.
I think it is because the freeradius server is searching for the "dn" attribute in the group in stead of "groupmembership"

From the iMonitor LDAP trace:

15:08:42 9353CBA0 LDAP: (10.60.1.12:53889)(0x0004:0x63) Sending search result entry "cn=user,ou=Users,o=ABC" to connection 0xca20780
15:08:42 9353CBA0 LDAP: (10.60.1.12:53889)(0x0004:0x63) Sending operation result 0:"":"" to connection 0xca20780
15:08:42 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0005:0x77) DoExtended on connection 0xca20780
15:08:42 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0005:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.39.42.100.13
15:08:42 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0005:0x77) Sending operation result 0:"":"" to connection 0xca20780
15:08:47 90490BA0 LDAP: (10.48.5.240:39601)(0x0002:0x63) Activating pending operation 0x2:0x63 on connection 0xccf1780
15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) DoSearch on connection 0xca20780
15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) Search request:
base: "ou=USERS,o=ABC"
scope:2 dereference:0 sizelimit:0 timelimit:3 attrsonly:0
filter: "(uid=user)"
attribute: "dn"
15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) Sending search result entry "cn=user,ou=Users,o=ABC" to connection 0xca20780
15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) Sending operation result 0:"":"" to connection 0xca20780
15:08:48 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0007:0x63) DoSearch on connection 0xca20780
15:08:48 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0007:0x63) Search request:
base: "cn=remote,ou=Groups,o=ABC"
scope:2 dereference:0 sizelimit:0 timelimit:3 attrsonly:0
filter: "(|(&(objectClass=GroupOfNames)(member=))(&(object Class=GroupOfUniqueNames)(uniquemember=)))"
attribute: "dn"
15:08:48 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0007:0x63) Sending operation result 0:"":"" to connection 0xca20780
15:08:48 9353CBA0 LDAP: (10.60.1.12:53889)(0x0008:0x63) DoSearch on connection 0xca20780
15:08:48 9353CBA0 LDAP: (10.60.1.12:53889)(0x0008:0x63) Search request:

So freeradius things the user is not a member.

Has anyone got freeradius 2 working with groups and can help me solve this issue?

Thanks,
Hein