Check local before LDAP Authentication

Matteo Raffa matteo.raf at
Fri May 28 16:16:28 CEST 2021

>  It doesn't save a variable for each possible module.  That would be an enormous amount of work, and isn't that useful.

Thanks for pointing that out, I wasn’t sure about that as I couldn’t find any reference on man pages.

>  You can just change the order of the modules in the configuration files.
>  It might be better to explain what you're trying to do, instead of asking "why doesn't the server save each modules return code".
>  i.e. don't ask why a particular solution doesn't work.  Explain the problem, and let us suggest a solution that works.

I’m sorry, I just put that in the subject and didn’t repeat it in the text.
What I want to achieve is quite simple: authenticate with LDAP only in case there’s no corresponding local user available.

In the meanwhile I came up with this.
I guess in case someone needs to check local users *after* ldap, it’d simply move the files module after ldap and before pap (without the additional condition check on files rcode). Am I right?

	if (ok) {

	if ((ok || updated) && User-Password) {
    		update control {
        		Auth-Type := ldap

> Hi Matteo,
> First of all, its hard to help you without the debug logs, please <>
> Other than that, please take a look at <> if you’re looking for AD or just take a look at /etc/raddb/mods-available/ldap. Then, back to us with some debug output.

Hello Jorge,
Thank you, but I already got LDAP authentication working.
I am just trying to understand which is the best way to implement this additional “emergency” local auth.

More information about the Freeradius-Users mailing list