G'day, Background: Debian GNU/Linux 11 (bullseye) FreeRADIUS Version 3.0.21 Samba Version 4.16.11-Debian (AD) Freeradius does user authentication against the Samba AD backend using ntlm_auth/mschapv2 and this works flawlessly. Problem: I'm looking at the doc for ldap xlat syntax: https://wiki.freeradius.org/modules/Rlm_ldap#ldap-xlat The following ldapsearch query works and returns a list of sAMAccountNames which are members of the 'staff' group. ldapsearch -D "cn=Administrator,cn=Users,dc=foo,dc=bar,dc=com" -w super_secret! -h "localhost" -b "cn=Users,dc=foo,dc=bar,dc=com" -s sub "(&(objectclass=user)(memberOf=CN=staff,CN=Users,DC=foo,DC=bar,DC=com))" sAMAccountName I am trying to replicate this in an ldap xlate inside the post-auth section like so: update reply { Reply-Message += "AD-Group: %{ldap:ldap:///cn=Users,dc=foo,dc=bar,dc=com?(&(objectclass=user)(memberOf=CN=staff,CN=Users,DC=foo,DC=bar,DC=com))?sAMAccountName}", } However, freeradius complains: (12) update reply { (12) ERROR: Parsing LDAP URL failed (12) EXPAND AD-Group: %{ldap:ldap:///cn=Users,dc=foo,dc=bar,dc=com?(&(objectclass=user)(memberOf=CN=staff,CN=Users,DC=foo,DC=bar,DC=com))?sAMAccountName} (12) --> AD-Group: (12) Reply-Message += AD-Group: Questions: 1. Is this sort of query possible using ldap xlat? 2. If so, am I missing something obvious? 3. Is there a way to test/debug ldap xlat expressions which is more efficient/simple than embedding them in the config and testing? Thanks, Chris