Chris Liles Chris.Liles at
Thu May 25 18:21:08 CEST 2006

>  AD doesn't supply passwords through LDAP.  That's why the server
>ships with support for ntlm_auth.

That is right, I forgot that even if you are on a ssl/tls ldap connection as an administrator, you can't pull the password back from AD.

What "hooks" are you talking about? The extensions for unix services?

Chris Liles

-----Original Message-----
From: at [ at] On Behalf Of Alan DeKok
Sent: Thursday, May 25, 2006 11:36 AM
To: FreeRadius users mailing list
Subject: Re: PEAP + AD 

"Chris Liles" <Chris.Liles at> wrote:
> But I have also read about some guy successfully using OpenLDAP with
> PEAP because he stored the LM and NT password hashes in the ldap
> schema along with the clear text password. With AD I suppose you
> could extend the schema to store these as well, but you'd have to
> manually update them when a password changes.

  Yes.  There are hooks in AD to do just that, but the software
implementing the hooks has to be installed on every domain controller.

> In my attempts to use ldap with active directory for PEAP it
> wouldn't work, so I went samba. It works fine. Radiusd -X and the
> mailing list are your best friends. :)

  AD doesn't supply passwords through LDAP.  That's why the server
ships with support for ntlm_auth.

  Alan DeKok.
List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list