How to use LDAP Group attributes in post-auth section?

Alan DeKok aland at
Wed Jan 8 19:14:04 CET 2020

On Jan 8, 2020, at 12:26 PM, uj2.hahn at wrote:
> Hi!
> I use freeradius 3.0.17 with LDAP module for a school.
> There are different LDAP groups (e.g. students and teacher).
> WLAN login time should be limited but differently for different groups.
> In freeradius I already extracted the LDAP group the user belongs to and I know
> how to limit  the logintime (Current-Time == "wk1602-0800") or so.
> But of course I don't want to hardcode the group specific time strings.
> Idea is to define group attributes in LDAP which contain these strings.
> - Is it possible to map _group _specific attributes into LDAP module of freeradius,
>   may be some code snippets as template....

  You can do an LDAP query, off the time limits are in LDAP.

> - so far I use OpenLDAP as training vehicle. Here I can add a radius scheme. But
>   final solution has to be (existing) Active Directory. Is above method usable there
>   as well?

  Sure, if you extend the schema.

> - May be there is a completely different solution out there I'm not aware of.
>   Any hints are very welcome!

  TBH, the time limit format is very RADIUS specific.  It's best to put the rules into FreeRADIUS:

	if (LDAP-Group == "students")  {
		update reply {
			Login-Time := "wk0900-1600"

  Alan DeKok.

More information about the Freeradius-Users mailing list