How to use LDAP Group attributes in post-auth section?

uj2.hahn at uj2.hahn at
Wed Jan 8 19:57:58 CET 2020

Hi, Alan!
Thanks again for very quick help. Some comments:

   > You can do an LDAP query, off the time limits are in LDAP.

Is there any hook in the LDAP module for that? Or do you mean to call a 
like " `ldapsearch ......` " in the post-auth section? Guess this has 
performance disadvantages
because it would be called by each user login.
Is there a freeradius initialization module which can be used for this 
query to do it once only?


On 08.01.2020 19:14, Alan DeKok wrote:
> On Jan 8, 2020, at 12:26 PM, uj2.hahn at wrote:
>> Hi!
>> I use freeradius 3.0.17 with LDAP module for a school.
>> There are different LDAP groups (e.g. students and teacher).
>> WLAN login time should be limited but differently for different groups.
>> In freeradius I already extracted the LDAP group the user belongs to and I know
>> how to limit  the logintime (Current-Time == "wk1602-0800") or so.
>> But of course I don't want to hardcode the group specific time strings.
>> Idea is to define group attributes in LDAP which contain these strings.
>> - Is it possible to map _group _specific attributes into LDAP module of freeradius,
>>    may be some code snippets as template....
>    You can do an LDAP query, off the time limits are in LDAP.
>> - so far I use OpenLDAP as training vehicle. Here I can add a radius scheme. But
>>    final solution has to be (existing) Active Directory. Is above method usable there
>>    as well?
>    Sure, if you extend the schema.
>> - May be there is a completely different solution out there I'm not aware of.
>>    Any hints are very welcome!
>    TBH, the time limit format is very RADIUS specific.  It's best to put the rules into FreeRADIUS:
> 	if (LDAP-Group == "students")  {
> 		update reply {
> 			Login-Time := "wk0900-1600"
> 		}
> 	}
>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list