Check local before LDAP Authentication

Jorge Pereira jpereira at
Fri May 28 15:29:21 CEST 2021

Hi Matteo,

First of all, its hard to help you without the debug logs, please <>

Other than that, please take a look at <> if you’re looking for AD or just take a look at /etc/raddb/mods-available/ldap. Then, back to us with some debug output.

Jorge Pereira
jpereira at

> On 28 May 2021, at 08:52, Matteo Raffa <matteo.raf at> wrote:
> I’ve found some old posts about this on the mailing list, but all of those were 10+ years old and using v1 or v2.
> Further to that, I am using LDAP for authentication (Google doesn’t send passwords).
> So, in my authorize {} I have set this before pap to set the proper auth method:
> if (User-Password) {
>    	update control {
>        	Auth-Type := ldap
>    	}
> }
> Now I believe that I should just need to add another condition to check for files module returning notfound code, so that it only sets ldap in case the user is not found in files, otherwise it will just go on to pap.
> Something like 
> if (User-Password && files == notfound) {...}
> But I can’t find the correct way to do this check. What is the attribute name corresponding to “files module return code” that I should check?
> I checked man unlang for that, but it only says that I can check for a module return code just after its execution.
> It doesn’t tell anything about a variable storing each module’s return code.
> Thanks!
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list