Freeradius with OpenLDAP and AD.

tnt at tnt at
Tue Feb 17 15:55:15 CET 2009

>Hi, I have several problems when I would like to link freeradius with AD
>using OpenLDAP.

Look up
to see how to inegrate with AD for pap and mschap/PEAP.

>When I tried to test the binding of OpenLDAP to the AD with radtest, it
>responds Access-Accept (as you can see in the log after).


>Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: bind as
>CN=philippe,CN=Users,DC=test,DC=fr/philippe to
>Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: waiting for bind result ...
>Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: Bind was successful
>Tue Feb 17 15:38:25 2009 : Info: [ldap] user philippe authenticated

Ldap "bind as user" works for pap requests. And nothing else. This is
documented in ldap module configuration file.

>But when I wanted to check with a real supplicant (under WinXP with
>MD5-Challenge Auth) I got an access-reject.

EAP-MD5 authentication requires clear text password:

AD is not going to provide it via ldap. You can't use AD to authenticate
with EAP-MD5. Obtaining a reversibly encrypted password from AD is
propriatory MS stuff. You need IAS for that plus to enable reversible
passwords for your users in Remote Access Policy. If this wasn't
enabled already, reversible passwords will be created next time user
changes the password (ie. all users will most likely need to enter new

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list