So far I have the ldap component querying AD correctly and I have the ntlm_auth component doing the same and each individually passing from a radtest. My question now revolves around passing the groups in our setup and if this is even possible using the protocols listed above. Unfortunately, we don't have the option to move away from these protocols in our environment. I'm a bit of a freeradius noob so any help is appreciated.
I'm not using NTLM for auth, but I am enforcing AD Group access What I did was fairly simple. I wanted users to either be admins or not (and this is just an example usage): users: DEFAULT Ldap-Group == "grp-admin-admin", Auth-Type = pam Reply-Message = "Hello (admin), %{User-Name}", Fall-Through = No DEFAULT Ldap-Group == "Operator", Auth-Type = pam Reply-Message = "Hello (operator), %{User-Name}", Fall-Through = No DEFAULT Auth-Type := Reject Reply-Message = "you are not authorized" My ldap module config looks like (I have a patched version for exec callouts on string fields. The patch can be found posted to the list): ldap { server = "myDC" port = 636 identity = "exec:/path/to/passgetter LDAP.user" password = "exec:/path/to/passgetter LDAP.pwd" basedn = "dc=myorg,dc=myco,dc=org" filter = "(CN=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls_mode= yes tls { start_tls = no cacertfile = /path/to/my/cacerts require_cert = "never" } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))" groupmembership_attribute = "memberOf" chase_referrals = no rebind = no set_auth_type = no ldap_debug = 0x8000 } And then my authorize config (in my site-enabled/default): authorize { preprocess auth_log files ldap } R. Marc