Help with Freeradius and Google Suite LDAP

Alan DeKok aland at
Sat Dec 16 19:18:18 UTC 2023

On Dec 15, 2023, at 1:01 PM, Chris Bradley <bradleyc at> wrote:
> Hello everyone! :)
> I have this working but it's not working for all of our users.
> We have users in our Gsuite with to different email addresses:
> and
> I can authenticate users from one or the other by modifying the ldap file
> under mods-enabled and changing the base_DN to match whichever group I want
> to authenticate.

  The "base_dn" field is dynamically expanded at run-time.  So you can set it as necessary.  (mostly).  For various security reasons, it doesn't accept commas, brackets, etc.  But you can add names.

> Can anyone, at a very simple level, explain to me how to allow the
> freeradius server to authenticate users from two base_dn (
> and using a single server? I've been tinkering with the
> files and I'm not having any luck.

   Edit raddb/dictionary, add:

ATTRIBUTE BaseDN-Group 3000 string

  This defines a base dn group.

  Then in mods-available/default, "authorize" section:

	if (User-Name =~ /^([^.]+)\.k12\.in\.us/) {
		update request {
			&BaseDN-Group := "%{1}"

  Then in mods-enabled/ldap, edit it to say:

	base_dn = "dc=%{BaseDN-Group},dc=k12,dc=in,dc=us"

  i.e. dynamically add a prefix to the base_dn, depending on the domain.

  That should work.  You night have to tweak the base_dn string based on your local configuration, but the above example should be a good start.

  Alan DeKok.

More information about the Freeradius-Users mailing list