Global User Blacklist

Phil Mayers p.mayers at
Tue Jul 31 15:02:58 CEST 2012

On 31/07/12 13:47, David Aldwinckle wrote:
> Hi Phil,
> I tried a test where I commented out "ldap" from the inner tunnel and it appears that you are correct.
> I had thought that I would need to "load" the module for the LDAP-Group to be populated.

It's a common misconception, and in some ways I wish it were more 
obvious that this isn't the case. But as I say, the attribute is a 
"virtual" one, and comparisons are executed by a handler that 
dynamically does the query, as opposed to a list of groups.

Same thing for SQL-Group and (IIRC) the huntgroup attributes.

This can be relevant if you want to do a lot of group comparisons e.g.

  if (Ldap-Group = abc123) {
  elsif (Ldap-Group == def456) {

...involves two LDAP directory searches. This can get slow with a lot of 
groups, for which there are various solutions.

More information about the Freeradius-Users mailing list