How to return Filter-ID attribute value for the users in Active Directory?

Alan DeKok aland at
Thu Jan 19 19:34:47 CET 2012

suggestme wrote:
> I tried to return the value of Filter-ID as:
> authorize { 
>    ... 
>    ldap 
>      if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) { 

  What's "distinguishedName" ?

  It's not a RADIUS attribute.  Read "man unlang", which explains how
the attributes && variables work.

> In my active directory I have the attribute named "distinguishedName" which
> I am using inside "if" statement.

  Right... so FreeRADIUS magically knows to go query LDAP when you type

> If I use "Ldap-UserDN" attribute inside
> "if" statement (as suggested) it says: "No attribute named Ldap-UserDN".

  Because it's a control attribute.

> *Why this "if" condition is being evaluated as FALSE?*

  Because FreeRADIUS isn't an LDAP server, and doesn't have magic access
to the internals of AD.

> Please correct me If I am doing something wrong. 

  You need to query the LDAP server for information.  The "rlm_ldap"
documentation should describe this.

  Alan DeKok.

More information about the Freeradius-Users mailing list