Add LDAP groups as extra attributes

Arran Cudbard-Bell a.cudbardb at
Wed Mar 13 21:38:33 CET 2013

On 13 Mar 2013, at 16:17, Robin Helgelin <lobbin at> wrote:

> On 13 mar 2013, at 20:52, Arran Cudbard-Bell <a.cudbardb at> wrote:
>>> Next problem seems to be that freeradius ignores when ldap is
>>> returning more than one group, am I correct?
>> Ignores what?
>> If you're talking about an xlat query, then yes, it'll only provide the first result.
> Yes, and there are no workarounds to that? More than editing the code I guess :)

No. xlat is just string expansion (replacing placeholders in the string with other values). There are cases where it's used (abused) to do other things, but normally it only produces one value, the expanded string.

> Would it be possible to another post-auth module to do this instead? As the ldap module itself seems not quite what I'm trying to do here. 

You could use one of the dynamic language modules, python, perl, ruby etc.

Usually people just need to verify a user is in a certain group, they don't usually need to return all the groups a user is in...


More information about the Freeradius-Users mailing list