Global User Blacklist

David Aldwinckle daldwinc at
Tue Jul 31 14:47:48 CEST 2012

Hi Phil,

I tried a test where I commented out "ldap" from the inner tunnel and it appears that you are correct.

I had thought that I would need to "load" the module for the LDAP-Group to be populated.

Anyway, thanks for the tip!


On 2012-07-31, at 8:41 AM, Phil Mayers <p.mayers at>

> On 31/07/12 13:26, David Aldwinckle wrote:
>> Hello,
>> I figure that other people might benefit from this too, so...
>> I was correct in my previous message. I added ldap to the authorize
>> section of the inner tunnel, and did the group checking in the
>> post-auth of the default server and everything worked wonderfully.
> This isn't working for the reasons you seem to think.
> The syntax:
> if (Ldap-Group == xx)
> ...performs a dynamic search against the LDAP directory for the user & group membership.
> If you're doing this in the "default" post-auth, you're running LDAP twice - once in the "inner-tunnel" authorize section, and once in the "default" post-auth.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list