freeradius-3.0.1 ldap authenticate

Alan DeKok aland at
Wed Feb 26 14:29:49 CET 2014

A.L.M.Buxey at wrote:
> if thats the view then the wording on needs to change - anyone who
> reads 'stable' and has eg ITIL framework etc will go for that release (2.2.x) 
> and not the 'latest/feature' release. 

  We will continue to support v2.2.x for a few years.  It's OK for
people to use it.

> I said..if he's done all that he's been told to do then its likely to be a bug/issue
> - in this case he hadnt done all he'd been told/instructed to do ;-)

  People should avoid "Auth-Type = ldap".  The ONLY reason to use it is
for Active Directory, when the request has User-Password.  For all other
LDAP directories, FreeRADIUS should just grab the password from LDAP,
and do the authentication itself.

> I'd submitted a config change via github to make all this much easier for admins to see
>  - which appears to have been rejected. which is a pity - as if you are now changing how 
> the server/module works and dont put the relevant parts that people need into place then it 
> becomes harder for the server to be configured correctly for purpose (and lets face it, 
> for a lot of people this server is hard to configure anyway) - especially relating to this 
> LDAP change in behaviour - other modules/configs have the required unlang present next to 
> them to uncomment/use...just a few lines of code to stop many many similar queries about 
> 3.x and LDAP ? think of the users.

  The default configuration should work for nearly all LDAP servers.
For Active Directory, they should probably be using ntlm_auth, which is
also documented.

  Alan DeKok.

More information about the Freeradius-Users mailing list