PAP and authenticating via AD

Stefan Winter stefan.winter at
Mon Aug 28 23:00:22 CEST 2006


(don't write HTML mails please)
(please use a more descriptive subject line instead of Please help !!!)
(0 or 1 exclamation mark will do, preferably 0)

first off: if you will stay with PAP later (user's password comes in in clear 
text), just treat the AD server like a plain ldap server, i.e. configure and 
activate ldap {} in both authorize and authenticate sections of radiusd.conf. 
No sign of AD specialties here.

This is in fact the recommended way: configure the ldap {} section, activate 
it and be happy. It will work.

If you will change to MS-CHAP later, only then will you need the AD way of 
authenticating users. This is what I describe below.

> users: Matched entry DEFAULT at line 152
> modcall[authorize]: module "files" returns ok for request 0
> modcall: leaving group authorize (returns ok) for request 0
> rad_check_password: Found Auth-Type System
> auth: type "System"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_unix: [test]: invalid password
> modcall[authenticate]: module "unix" returns reject for request 0
> modcall: leaving group authenticate (returns reject) for request 0
> auth: Failed to validate the user.

That line 152 in the users file sets the Auth-Type System if no other 
Auth-Type has previously been set. This is quite okay when authenticating 
users locally with PAP logins (i.e. password is on the FreeRADIUS server 
*system*). If you configure ldap {} as said above, Auth-Type will be set to 
LDAP and things will work.

If you want to use MS-CHAP login later, things will magically work out of the 
box (the mschap module is by default active in authorize and will set 
Auth-Type to MS-CHAP by itself *if* the request is indeed an MS-CHAP request 
and later authenticate users via the mschap module (in which you have to 
activate the ntlm_auth line)).

> using wbinfo -u and wbinfo -g command, able to pull the users and groups
> from AD.

This is great, you've already done the bulk of the work then. If you'll stick 
with PAP later, this work was unnecessary (ldap module will do). If you want 
to switch to MS-CHAP: uncomment the ntlm_auth line in the mschap module to 
tell the FreeRADIUS server to actually use this connection.


Stefan Winter


Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche - Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

More information about the Freeradius-Users mailing list