Conditional modules and dynamically attributes

Alan DeKok aland at
Wed Sep 11 22:15:50 CEST 2019

On Sep 11, 2019, at 4:06 PM, Viktor Kolesnikov <vvkolesnikoff at> wrote:
> I have freeradius 3.0.20 and use rlm_ldap as a conditional module in the
> authorize section like this
> authorize {
> ...
> sql
> if (notfound) {
>  -ldap
>  if (&LDAP-Group == '% {Group-Name}') {
>    update {
>      &control:Auth-Type: = ldap


> I enable and disable (if it is not configured) module by creating/deleting
> a link in the mods-enabled/ directory, but when the module is disabled,
> I cannot use the attribute LDAP-Group in the condition because it loads
> dynamically when the module loads.

  Yes.  How do you expect to use LDAP-Group when there's no ldap module?

  The conditional modules are a simple hack for simple things.  If you need complex changes, edit the configuration files.

> I found this issue
> but it says nothing if a conditional module is used.
> How can I use dynamically loads attributes such as LDAP-Group or SQL-Group
> and conditional modules?

  Edit the configuration files.

  Why are you dynamically loading LDAP-Group when you aren't using ldap?

  You should create a configuration that works.  There's no point in creating a configuration that's broken, and then trying to make the server skip portions of it.

  Alan DeKok.

More information about the Freeradius-Users mailing list