Authorizing using LDAP attributes

Clayton Knorr clayton.knorr at
Mon May 9 15:29:17 CEST 2016

Alan et al,

Adding ldap.authorize to the post-auth section didn't seem to change anything except adding a "++[ldap.authorize] returns ok" to the logs

Is there a preferred way to do this I can use in version 2.2.x? 

-----Original Message-----
From: Freeradius-Users [ at] On Behalf Of Alan DeKok
Sent: Saturday, May 7, 2016 12:28 PM
To: FreeRadius users mailing list <freeradius-users at>
Subject: Re: Authorizing using LDAP attributes

On May 6, 2016, at 1:25 PM, Clayton Knorr <clayton.knorr at> wrote:
> Running radius 2.1.12 and Openldap (openldap just for testing at this 
> point)

  You should really upgrade... newer versions are a lot easier to configure.

> Trying to solve a problem. Need to provide EAP authentication for wifi to many devices. The freeradius server will be hitting an LDAP directory which is not in my control. I need to be able to have conditional logic to allow only certain users with certain attributes in the LDAP directory connect to certain RADIUS clients. I don't control the LDAP directory so using groups or OUs is not an option. So for example if the ldap user has an attribute Location that equals "A1234" I only want them to connect to one or a subset of Aps/controllers.


> I have gotten to the point where everything works for EAP, just the LDAP attributes mapping to RADIUS attributes is giving me fits.

  That's good.

> So I have a test ldap directory in which I have set users up with the attribute businessCategory set to A1000.
> I have added an entry to the main dictionary file: ATTRIBUTE       My-Local-String         3000    string
> I have added a line to ldap.attrmap: checkItem       My-Local-String                 businessCategory
> I have the following in my post-auth section in sites-enabled/default:
>        if ( Called-Station-Id == "AC-85-75-46-55-91:Peep" && My-Local-String == "A1000" ) {
>               noop
>        }
>        else {
>                reject
>        }

  That should be fine.

> Here are some logs from what happens when I try to log in:
> ...
> [ldap] looking for check items in directory...
>  [ldap] businessCategory -> My-Local-String == "A1000"
>  [ldap] userPassword -> Cleartext-Password == "password"
>  [ldap] userPassword -> Password-With-Header == "password"
> [ldap] looking for reply items in directory...
> [ldap] user uuserton authorized to use remote access  [ldap] 
> ldap_release_conn: Release Id: 0
> ++[ldap] return
> .....

  One key thing to note is that there are multiple packets being exchanged.  Pay attention to *which* packet this message is from.

> # Executing section post-auth from file 
> /etc/freeradius/sites-enabled/default
> +- entering group post-auth {...}
> ++? if (Called-Station-Id == "AC-85-75-46-55-91:Peep" && 
> ++My-Local-String == "A1000" )
> ? Evaluating (Called-Station-Id == "AC-86-74-46-65-91:Peep" ) -> TRUE
>    (Attribute My-Local-String was not found) ? Evaluating 
> (My-Local-String == "A1000" ) -> FALSE
> ++? if (Called-Station-Id == "AC-86-74-46-65-91:Peep" && 
> ++My-Local-String == "A1000" ) -> FALSE
> ++- entering else else {...}
> +++[reject] returns reject
> ++- else else returns reject
> Using Post-Auth-Type Reject

  That's most likely a *different* packet.

  Version 2 doesn't cache results across multiple packets.  Version 3 can, if you want.

> The baffling part is where it says "Attribute My-Local-String was not found." Am I completely barking up the wrong tree here? Is ldap.attrmap meant to be used for something completely different?

  It works.  In v2.1, you should just add "ldap.authorize" to the "post-auth" section, before your unlang checks.  It's a hack, but it should work around this issue.

  Alan DeKok.

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list