Freeradius 3 with LDAP Authentication Bind as User

Alan DeKok aland at
Mon Jun 1 17:02:00 CEST 2020

On Jun 1, 2020, at 10:23 AM, Jason Leiby <leibyj at> wrote:
> Thank you for the link to Network Radius.  I was unaware that there was an
> issue with redhat and the standard freeradius packages.  I have upgraded to
> 3.0.21 after adding the repositories in your link.  This has fixed the
> chase_referrals issue, but I am still not binding as the user to LDAP.


> When performing a wireshark capture, the bind user shows as "<ROOT>
> simple". Do I need to set the ldap attributes to provide the user and
> password to the far end?

   The LDAP module does "bind as user" when it's run from the "authenticate" section.  Otherwise, it binds as the admin.
> (3) ldap: Performing search in "OU=Employees,OU=Domain
> Users,DC=example,DC=com" with filter "(samaccountname=testuser)", scope
> "sub"

  This search is with the admin credentials you supplied in the mods-enabled/ldap

> (3) ldap: Waiting for search result...
> (3) ldap: ERROR: Failed performing search: Operations error with LDAP
> database.  Please see the LDAP server configuration / documentation for
> more information.
> (3) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907E1, comment: In
> order to perform this operation a successful bind must be completed on the
> connection., data 0, v2580.

  That seems pretty clear.  It looks like either you didn't set "rebind=true" also, *or* the admin user doesn't have permissions to query the LDAP database.

  The default configuration has both "chase_referrals = yes", and "rebind = yes".  Along with comments explaining what they do, and why they need to be set for AD.

  The ldap module should *not* "bind as user" when it's run from the "authorize" section.  Instead, the ldap module should just use the admin name / password.  This is because it's querying group information, and "known good" passwords for the user.  There is just no need to do "bind as user" there.

  If you do want to authenticate users, run ldap in the "authenticate" section.  As I already said.  Again, there is documentation for this in the default configuration.  Which I suggest reading.

  Reading the documentation and following the examples *will* make this work.  That's why I suggest reading them.

  Alan DeKok.

More information about the Freeradius-Users mailing list