AD Authentication Permissions

Mathieu Simon mathieu.sim at
Wed Jan 9 20:52:35 CET 2013

Hi Tyler

Since I'm in a similar situation with AD but still learning, just
general experience with other Applications from the *nix world authenticating
against AD:

2013/1/9 John Dennis <jdennis at>:
> On 01/09/2013 02:00 PM, Tyler Brady wrote:
>> Can someone give more details on setting up LDAP groups? So far I have
>> attempted to modify the users file and the ldap module. I can't seem to get
>> the ldap module configured properly, but I'm sure that's just one of many
>> issues.
>> ldap {
>>         #
>>         #  Note that this needs to match the name in the LDAP
>>         #  server certificate, if you're using ldaps.
>>         server = "ldap.your.domain"
>>         #identity = "cn=admin,o=My Org,c=UA"
>>         #password = mypass
>>         basedn = "o=My Org,c=UA"
>>         filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>>         #base_filter = "(objectclass=radiusprofile)"
>> cn = username (is this correct)
>> o= domain (is this correct)
>> c= ?  (what does this field mean)

Your AD admin (you?) needs to create a basic user account, no domain admin
needed - who can read the parts of your AD/LDAP tree as John said.
(We maintain a couple of srv-* accounts here to quickly distinguis
between real user accounts)

You'll need the value of the distinguishedName attribute on AD,
your Admin can give you this value, but it's hidden by default in the GUI.*

For "server=" (don't know of recommended for FR too): You could point to
your.domainname, as this is a DNS record maintained by your AD-integrated
nameservers who will point to all addresses of your current DCs.

BaseDN - yeah, look up a little what it is, it's the base your FR will
start looking
up inside the LDAP tree.



More information about the Freeradius-Users mailing list