> > I've checked the sources - rlm_ldap NEVER sets Ldap-Group attribute. It is > used for comparison only :( > > > Only option seems to be testing for Ldap-Group != "". > > Ivan Kalik
It will not work. Quote from rlm_ldap.c: static int ldap_groupcmp(void *instance, REQUEST *req, UNUSED VALUE_PAIR *request, VALUE_PAIR *check, .. if (check->vp_strvalue == NULL || check->length == 0){ DEBUG("rlm_ldap::ldap_groupcmp: Illegal group name"); return 1; } It seems to me, that writing some patch is the only solution for my problem :) --- Maxim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html