Using the contents of LDAP-Group

Arran Cudbard-Bell a.cudbardb at
Mon Dec 14 21:20:04 CET 2020

> On Dec 14, 2020, at 5:44 AM, Michael Schwartzkopff <ms at> wrote:
> Signed PGP part
> On 14.12.20 12:39, Matthew Newton wrote:
>> On 14/12/2020 11:20, Michael Schwartzkopff wrote:
>>> I want to reply with the contents of the LDAP-Group Attribute.
>> LDAP-Group is magic, you can't treat it like a normal attribute.
>>> So I'd like to do something like
>>> if ( LDAP-Group) {
>>>    update reply {
>>>      Reply-Message += "%{LDAP-Group}"
>>>    }
>>> }
>>> This does not work. First of all, the if condition is never met. Also
>>> the Reply-Message is empty if
>> The LDAP-Group attribute doesn't exist. It is an internal "special"
>> attribute which does tests, it doesn't have a value. So you can use it
>> to check groups, but not to find out which groups the user is in. See
>> the group search config options for rlm_ldap.
>> A user could be in thousands of groups. Expanding a list of them all
>> does not generally make sense.
>> You can use an if/elsif construct to update the Reply-Message, testing
>> for each group, as you have already got working.
>> Or you may be able to come up with an ldap xlat which returns the
>> information you need in your own situation, e.g. you know that a user
>> will only ever be in one group (otherwise the xlat will only return
>> the first one that is returned).
> Thanks. Found it out the hard way.
> Thanks for the hint with the xlat. I will have a look into that.

Or enable LDAP group caching in the ldap module config and you'll get
the complete list written out to local attributes.

then just

update reply {
	Reply-Message := "%{LDAP-Group[*]}"


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <>

More information about the Freeradius-Users mailing list