Help request: LDAP syntax authorization

Alan DeKok aland at
Fri Mar 31 21:27:55 CEST 2017

On Mar 31, 2017, at 2:53 PM, Aaron Dalla-Longa <aaron at> wrote:
> Freeradius version 3
> Is it possible to deny a user based on an attribute that LDAP sends
> through, and if so, what is the syntax for it?

  You can map LDAP attributes to RADIUS ones.

  See raddb/mods-available/ldap.  Look for "mapping".

> Alternatively, if there is a
> well-put together guide on Freeradius LDAP syntax, could you link it to me?

  The wiki has lots of documentation.  Please go there and look.  It also has a searchable interface.  Just search for LDAP.

> Something that I would be looking for would be something like the
> pseudo-code below:
> if (user_attribute "delinquency" == "no") {
>     accept
>   {
> else {
>    reject
> }

  That's not LDAP, that's unlang policies.  And those are documented, too.  Lots of examples, and a "man unlang" page that describes the syntax.

  Alan DeKok.

More information about the Freeradius-Users mailing list