freeradius 2.2.0 stop authorization

Alan DeKok aland at
Tue Jan 22 20:22:09 CET 2013

Wedel Blake wrote:
> ... What I want to do is setup ldap to authenticate against our Windows 2010 server where the computers are a part of the domain.

  AD isn't really an LDAP server.  You'll probably need to run Samba.  See:

>    I would like for it to query mysql first and then query ldap if it didn't find the computer in mysql.

authorize {
	if (notfound) {

  Should work for PAP requests.  (User-Name / User-Password)

> If I remove ldap for the defaults file I get an Access-Accept reply as expected.  It just that if there is anything after sql in the defaults file then it will continue on to try and authenticate against another module.

  Use the configuration I posted above.  It should help.

> Below you can see a simple query with 'blake' being sent as both the user-name and password.  It queries the db and finds it (as expected).  However it continues to go to ldap and tries to find it to which I get an error. 

  Read raddb/modules/ldap.  Look for "operations error"

> I understand that I don't have ldap working properly right now.  However, first I just want to get the logic setup to where after finding a name in mysql it will stop and reply back with an Access-Accept and not query ldap.  Is there a setting you have to put in a conf file?

  It's a policy you write.  There is no "setting" to do if/then/else

  Alan DeKok.

More information about the Freeradius-Users mailing list