Check in users file using a string attribute obtained from ldap

kzorba at kzorba at
Fri Dec 24 21:07:09 CET 2010

Quoting Alan DeKok <aland at>:

> Kostas Zorbadelos wrote:

Hi Alan,

thanks for the prompt reply,

>> - have freeradius query an ldap server to get the usual user entry with one
>> check and a few reply attributes
>> - have after that a users file, that based on the check attribute obtained
>> before by the ldap module make some processing (eg add a few common reply
>> attributes)
>   The "users" file can't really do this.
>> I looked at the source code and from what I understood the ldap module puts
>> all check items in the so called control (or check list), while  
>> rlm_file makes
>> checks in the request list
>   Exactly.
>> So I figured that doing an unlang update request would solve the problem.
> ..
>>         update request {
>>                 Group = "%{control:Ascend-Group}"
>   Uh... that is wrong on a number of levels.  The "Group" attribute has
> an existing definition: Unix group comparison.  You can't use it for
> anything else.

Yes, I figured that the freeradius internal attributes can't be used  
for something like that. I did the config by also using another  
already defined (string) attribute but the assignment and checks in  
users failed again.

I thought I was doing something wrong from an unlang point of view.
I will try to define my own attribute and see what happens. Any other  
ideas are highly welcome.

>   See raddb/dictionary for how to create local attributes.
>   Alan DeKok.


More information about the Freeradius-Users mailing list