Using the contents of LDAP-Group

Michael Schwartzkopff ms at
Mon Dec 14 12:44:31 CET 2020

On 14.12.20 12:39, Matthew Newton wrote:
> On 14/12/2020 11:20, Michael Schwartzkopff wrote:
>> I want to reply with the contents of the LDAP-Group Attribute.
> LDAP-Group is magic, you can't treat it like a normal attribute.
>> So I'd like to do something like
>> if ( LDAP-Group) {
>>    update reply {
>>      Reply-Message += "%{LDAP-Group}"
>>    }
>> }
>> This does not work. First of all, the if condition is never met. Also
>> the Reply-Message is empty if
> The LDAP-Group attribute doesn't exist. It is an internal "special"
> attribute which does tests, it doesn't have a value. So you can use it
> to check groups, but not to find out which groups the user is in. See
> the group search config options for rlm_ldap.
> A user could be in thousands of groups. Expanding a list of them all
> does not generally make sense.
> You can use an if/elsif construct to update the Reply-Message, testing
> for each group, as you have already got working.
> Or you may be able to come up with an ldap xlat which returns the
> information you need in your own situation, e.g. you know that a user
> will only ever be in one group (otherwise the xlat will only return
> the first one that is returned).

Thanks. Found it out the hard way.

Thanks for the hint with the xlat. I will have a look into that.

Mit freundlichen Grüßen,


[*] sys4 AG, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list