Conditional attributes with AD
Scott McLane Gardner
sgardne at uark.edu
Tue Mar 6 19:28:27 CET 2012
>
> You can configure AD as an LDAP server, and then do LDAP group checks.
> See the LDAP documentation for examples.
>
> Alan DeKok.
I think the documentation is saying that LDAP can't be used with EAP. Is
that what it's really saying? It's a little unclear since it says "The
solution is to use the default configuration, which does work."
# However, LDAP can be used for authentication ONLY when the
# Access-Request packet contains a clear-text User-Password
# attribute. LDAP authentication will NOT work for any other
# authentication method.
#
# This means that LDAP servers don't understand EAP. If you
# force "Auth-Type = LDAP", and then send the server a
# request containing EAP authentication, then authentication
# WILL NOT WORK.
#
# The solution is to use the default configuration, which does
# work.
#
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
# really can't emphasize this enough.
More information about the Freeradius-Users
mailing list