Help request: LDAP syntax authorization

Alan DeKok aland at
Mon Apr 3 20:17:50 CEST 2017

On Apr 3, 2017, at 2:06 PM, Aaron Dalla-Longa <aaron at> wrote:
> Thanks for the steering Alan. A couple more questions, because I was unable
> to find an LDAP man page, and the ldap wiki page for freeRADIUS doesn't
> explain some of these options under the ldap module:

  The comments in the LDAP module should explain the configuration options.

> # profile_attribute = "radiusProfileDn"
> I assume this is what I set for a users 'username' coming in from the ldap
> schema? I.E. "userbarcode", or is that variable a radius attribute and I
> need to map it?

  No.  It's for user profiles. i.e. you have a bunch of users, and you want them to all share a common profile.

> # password_attribute = userPassword
> same thing here. I assume I set this to the ldap schema, in my case would
> be "usurping".

  That's where the users's "known good" password is located.

  And both of those configuration items are for FreeRADIUS v2.  They don't exist in the v3 version of the module.

> Of course I would uncomment them first.
> A question regarding mapping radius attributes. Is it required to use the
> list of radius attributes on the rfc page, or can I create my own variables
> such as this:
> replyItem User-Delinquency ldapschemadelinquency
> Thus I could do
> if (User-Delinquency == no) {
>   accept
> }
> else {
>  reject
> }
> in unlang.


  But you also need to define User-Delinquency in raddb/dictionary.  Read that file for further instructions.

  Alan DeKok.

More information about the Freeradius-Users mailing list