Freeradius Auth via LDAP against Active Directory Server 2003

Phil Mayers p.mayers at
Sat Apr 28 14:15:31 CEST 2007

I haven't been following your (quite extensive) queries, so apologies if 
I've missed something fundamental.

I honestly don't know why this is proving so difficult. I've just tested 
this against our own 2k3 AD service, and although I'm pretty familiar 
with FR it took under 5 minutes. Try following the instructions below. 
These were tested with FreeRadius 1.1.4

1. First, create or locate an existing account which FreeRadius can bind 
and do it's searches as. Record the following variables:

SEARCHDN=<the DN of the account>
SEARCHPW=<the password>
BASEDN=<the DN below which all your accounts live in AD>
ADHOST=<hostname of the AD controller you'll search against>

For example, these might be:

SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com
BASEDN=OU=My Site,DC=mysite,DC=com

2. Next, take the default "radiusd.conf"

3. Find the start of the modules section:

modules {

Delete this line and all the following lines

4. Insert the following config:

modules {
   ldap {
     server = "$ADHOST"
     identity = "$SEARCHDN"
     password = "$SEARCHPW"

     basedn = "$BASEDN"
     filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"

     dictionary_mapping = ${raddbdir}/ldap.attrmap

     ldap_connections_number = 5
     timeout = 4
     timelimit = 3
     net_timeout = 1

   preprocess {
     huntgroups = ${confdir}/huntgroups
     hints = ${confdir}/hints

     with_ascend_hack = no
     ascend_channels_per_line = 23

     with_ntdomain_hack = no
     with_specialix_jetstream_hack = no
     with_cisco_vsa_hack = no

   detail {
     detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
     detailperm = 0644


instantiate {

authorize {


authenticate {
   Auth-Type LDAP {

preacct {

accounting {

session {

post-auth {

pre-proxy {

post-proxy {

5. Start the server with -X

6. Run "radtest" to send a checking PAP request

It should work.

The above config is the ABSOLUTE BARE MINIMUM server config which will 
check PAP requests ONLY against an AD LDAP server. I do NOT recommend 
you go into service with this config. Try to look at it, understand how 
it's doing what it's doing, *then* start again with the default 
FreeRadius config and make the absolute minimum changes to get back to 
that point.

More information about the Freeradius-Users mailing list