read ldap groups for a user not specified in User-Name

David Aldwinckle daldwinc at
Thu Sep 27 19:47:06 CEST 2012

Hi list,

I've been given a set of requirements and I am having a hard time wrapping my head around what needs to happen in order to make things work.

Here is the scenario:

1. External to FreeRadius, a user can sponsor the creation of a guest account. The sponsor and guest accounts are in separate LDAP databases. 
2. Normally, I just need to handle authentication for the guest accounts. That part is easy, I have PEAP configured with LDAP and NT hashes.
3. the special requirement is that IF the sponsor account gets locked (deleted, expired, etc), then the guest account can no longer login either.

So, what I was thinking I could do was an LDAP group check on the sponsor userid (which would be put into a new attribute stored in the guest LDAP db), and then check the sponsors group memberships.

The problem with that is that I don't know how to get FreeRadius to read the groups for an arbitrary user that is not %User-Name. Can I copy another variable into the User-Name attribute in Post-Auth, and then do the group check there? 

Any suggestions? 


More information about the Freeradius-Users mailing list