Default ldap fallthrough but no Auth-Type set

Harry Hoffman hhoffman at
Thu Sep 30 16:47:11 CEST 2010

Hi All,

I'm running freeradius 2.1.8 on a Redhat 5.x box. We're setup to
authenticate against LDAP and AD using the how-tos and wiki on the
freeradius website. Users might be in LDAP, or AD, or both.

I've stuck with the default config and enabled both ldap and ntlm_auth
(after making sure that both sources can authenticate per the docs).
Both sources of authentication work.

It seems that when enabling the ldap module, it become the default if
nothing else sets the Auth-Type.

Now I'm trying to walk through the exercise of getting AD auth to work
if a user is present in AD, or getting LDAP auth to work if the user is
present in LDAP.

In the authorize { ... } section of sites-enabled/default I have the
ldap {
	notfound = return

In the authenticate { ... } section of sites-enabled/default I have the
following Auth-Type:

        #  ntlm_auth authentication.
        Auth-Type ntlm_auth {

        Auth-Type LDAP {
                                reject = 1
                                ok = return
                                reject = 1
                                ok = return

If the user has a entry in the LDAP database then the Auth-Type is set
to LDAP and the authorization jumps to Auth-Type LDAP and goes through
the groups stanza trying to authenticate to ldap or ntlm_auth.

However if the user is not in LDAP then it seems as though Auth-Type is
never set so the default authentication is attempted via ldap, which
fails. I don't understand why it doesn't try the Auth-Type LDAP

Everywhere I read, the docs say not to specifically set Auth-Type but to
let the server figure it out. So, how do I let the server figure out
that the Auth-Type should be ntlm_auth when the authorize { ... }
section matches ntlm_auth?

rad_recv: Access-Request packet from host port 55874, id=200,
	User-Name = "admin"
	User-Password = "password"
	NAS-IP-Address =
	NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m
%d expands to /var/log/radius/radacct/
[auth_log] 	expand: %t -> Thu Sep 30 10:32:05 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "admin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "admin", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ntlm_auth] 	expand: --username=%{mschap:User-Name} -> --username=admin
[ntlm_auth] 	expand: --password=%{User-Password} -> --password=password
Exec-Program output: NT_STATUS_OK: Success (0x0) 
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) 
Exec-Program: returned: 0
++[ntlm_auth] returns ok
[ldap] performing user authorization for admin
[ldap] 	expand: %{Stripped-User-Name} -> 
[ldap] 	... expanding second conditional
[ldap] 	expand: %{User-Name} -> admin
[ldap] 	expand: (&(uid=
%{%{Stripped-User-Name}:-%{User-Name}})(!(inetCOS=802.1x_disabled))) ->
[ldap] 	expand: ou=People,dc=ip-solutions,dc=net,o=internet ->
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to, authentication 0
  [ldap] starting TLS
  [ldap] bind as / to
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in
ou=People,dc=ip-solutions,dc=net,o=internet, with filter
  [ldap] object not found
[ldap] search failed
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect (  [ldap] User not found): [admin] (from client
localhost port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> admin
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.7 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 200 to port 55874
Waking up in 4.9 seconds.
Cleaning up request 0 ID 200 with timestamp +3
Ready to process requests.


More information about the Freeradius-Users mailing list