Group checking in ldap authorization

Alan DeKok aland at
Wed Mar 23 09:14:02 CET 2011

Robert Roll wrote:
>  The below is out of the  .../share/doc/freeradius/rlm_ldap  
>  Note that it shows the Ldap_Group variable being set in the users file, but
> I'm assuming it should not really matter where it gets set ?
>      DEFAULT	Ldap-Group == "cn=disabled,dc=company,dc=com"

  No.  See the "man users" page.  The above example *compares* the

>  Note, I do not want to test for Ldap_Group, I want to be able to actually
> set it so it is used within the  ldap module ?

  You can't set it.  It's intended to *check* if a user is a member of a
particular LDAP group.

  Why would you want to set it?  You don't have write access to LDAP, to
set the group for a user?

  If you need a temporary place to store a value, don't use LDAP-Group.
 Use a locally-defined attribute.  See raddb/dictionary for documentation.

  Alan DeKok.

More information about the Freeradius-Users mailing list