Freeradius + Microsoft Active Directory

Natalia Escalera nescalera at
Sat Feb 25 18:53:20 CET 2006

Hello Mr. DeKok

Thank you for the fast response.  The  password is clear-text.  We are
using ethereal to debug why we are getting "Operations Error" on the
Search Result.  The Operation Errors comment is the following:
"In order to perform this operation a successful bind must be completed."

The search request on ethereal from Freeradius to the active directory
gives the following:
Message Type: Search Request
Message Length:  96
Response In: 469
Base DN: dc=test, dc=prt
Scope: subtree (0x02)
Derefence: Never (0x00)
Size Limit: 0
Time Limit: 4
Attributes only: False
Filter: (&(objectclass=person)(sAMAccountName=%u))
Attribute: uid ????we are not sending this attribute and we do not
know where it is specified on Freeradius

Here are the settings given for LDAP module on radius.conf and user file:

ldap {
		identity ="" # If this is suppose to be the bind dn???
		password = "mypassword"
		basedn ="dc=test,dc=prt"

		#filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
		filter ="(&(objectclass=person) (sAMAccountName=%u))"

		# set this to 'yes' to use TLS encrypted connections
		# to the LDAP database by using the StartTLS extended
		# operation.
		# The StartTLS operation is supposed to be used with normal
		# ldap connections instead of using ldaps (port 689) connections
		start_tls = no

		# tls_cacertfile	= /path/to/cacert.pem
		# tls_cacertdir		= /path/to/ca/dir/
		# tls_certfile		= /path/to/radius.crt
		# tls_keyfile		= /path/to/radius.key
		# tls_randfile		= /path/to/rnd
		# tls_require_cert	= "demand"

		# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
		# profile_attribute = "radiusProfileDn"
		access_attr = "dialupAccess"

		# Mapping of RADIUS dictionary attributes to LDAP
		# directory attributes.
		dictionary_mapping = ${raddbdir}/ldap.attrmap

		ldap_connections_number = 5

		timeout =5
		timelimit =4
		net_timeout =2
		compare_check_items = yes

authenticate {
	Auth-Type PAP {

	Auth-Type CHAP {

	Auth-Type MS-CHAP {


	Auth-Type LDAP {


#users file
	DEFAULT Auth-Type := LDAP
	Fall-Through = 1

Can you please tell us if there is something wrong or if we are
missing something on the configuration files?

Thanks in advance,

On 2/25/06, Alan DeKok <aland at> wrote:
> "Natalia Escalera" <nescalera at> wrote:
> > I am setting up freeradius with Microsoft Active Directory. So far, I
> > am able to connect to the server but not to authenticate a user. Can
> > you  please give me a hint of how the configuration files need to be
> > set in order to authenticate the user.
>  If the RADIUS packets have clear-text passwords, then the normal
> LDAP module should work.  If you're using PEAP or MS-CHAP, read
> "radiusd.conf",m and use "ntlm_auth".
> > Also, what is "3D" used for? (Example: server =3D ...)
>  Nothing.  It's an artifact of stupid mailers.  3D is ASCII for '='.
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list