How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords

pramod kulkarni pammu.kulkarni at
Fri Apr 19 10:35:13 CEST 2013

Thanks for the reply.

I am new to FreeRadius and doing analysis on how to remove The "identity"
and "password" attributes of LDAP module in radiusd.config and still be
able to authenticate and authorize LDAP users.

Is there any other option/configuration to avoid usernames and plain
text passwords in the module ldap of radiusd.conf for authenticating and
authorizing users of LDAP database ?

I tried EAP-TLS method but didn't get proper result,can I use LDAP as
database for EAP-TLS method,as one of forum answers is no

 I would like to use a certificate (admin) to bind to the LDAP database
using FreeRadius because admin has the authority to traverse the LDAP tree.

 After binding using certificate i would like to  Authenticate different
users of LDAP using "radclient.exe -d ..\etc\raddb -f radtest.txt -x -s auth testing1"

if as per replies only LDAP simpile bind is possible ,how to compile
OpenLDAP+SASL+FreeRadius on Windows only through cygwin ? or any other

 please advice me I am wrong.
Waiting for your inputs.


On Wed, Apr 10, 2013 at 8:34 PM, Arran Cudbard-Bell <
a.cudbardb at> wrote:

> > There are other ways to establish the trust between radiusd and LDAP
> beside simple binds which do not involve passwords. All of these use SASL
> in some form. Unfortunately rlm_ldap does not support them. I know Alan
> rewrote rlm_ldap recently for the upcoming 3.0 version,
> > I don't know if SASL support was added or not. In any event this is an
> open source project and if you want this functionality then the usual
> mantra "Patches Welcome" applies.
> No it wasn't.
> -Arran
> -
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list