Custom module to handle LDAP query returning multiple results?

Nicolas Reich nicolas.reich at
Fri Jan 19 14:32:28 CET 2018


The system looks like this: the users are each affiliated to one or more 
organisations. For each affiliation to an organisation, there's an entry 
in LDAP. So there can be several entries for the same user, each one 
with a different organisation. Now, granted the rest of the 
authentication process goes well, the user is accepted if he or she is 
affiliated to one of the whitelisted organisations, i.e. there is at 
least one entry with their name and a whitelisted organisation.

This should be pretty straightforward to check: get all entries for the 
user, and check if at least one is for a whitelisted organisation. 
Except the ldap module throws an error if the search returns more than 
one result, and I can't use server-side sorting because it is an 
openldap server, which doesn't implement the ldap_create_sort_control 
function. (I think, I might have gotten that wrong though.)

Is it possible to write a custom module to handle an LDAP query 
returning potentially multiple results? Or is there another solution you 
can think of? The obvious one is to serially query ldap for each 
organisation, but that's really ineffective. Final note to take into 
account: I cannot modify anything on the ldap side, it is used for other 
projects as well.

Best regards, and thanks in advance


PS: Thanks Alan for your answer to my other question yesterday.

More information about the Freeradius-Users mailing list