Global User Blacklist

Phil Mayers p.mayers at
Tue Jul 31 14:41:53 CEST 2012

On 31/07/12 13:26, David Aldwinckle wrote:
> Hello,
> I figure that other people might benefit from this too, so...
> I was correct in my previous message. I added ldap to the authorize
> section of the inner tunnel, and did the group checking in the
> post-auth of the default server and everything worked wonderfully.

This isn't working for the reasons you seem to think.

The syntax:

  if (Ldap-Group == xx)

...performs a dynamic search against the LDAP directory for the user & 
group membership.

If you're doing this in the "default" post-auth, you're running LDAP 
twice - once in the "inner-tunnel" authorize section, and once in the 
"default" post-auth.

More information about the Freeradius-Users mailing list