rlm_ldap + bind as user authentication

Stefan Paetow Stefan.Paetow at ja.net
Fri Jul 18 10:31:43 CEST 2014

Thank you Arran :-)

I'll update the Wiki page at some point (next week) with this information :-)


From: freeradius-users-bounces+stefan.paetow=ja.net at lists.freeradius.org [freeradius-users-bounces+stefan.paetow=ja.net at lists.freeradius.org] on behalf of Arran Cudbard-Bell [a.cudbardb at freeradius.org]
Sent: 17 July 2014 18:51
To: FreeRadius users mailing list
Subject: Re: rlm_ldap + bind as user authentication

On 17 Jul 2014, at 12:48, Stefan Paetow <Stefan.Paetow at ja.net> wrote:

> Oh, and I just realised… If I’m using EAP-GTC as the inner type in an EAP conversation, I only need to replace the ‘pap’ in Auth-Type PAP (in the authenticate section) with ‘ldap’ and it binds ok.
> But – Is that the recommended way of doing it?

What I didn't realise before was deep in the darkest murkiest depths of the server core,
is some logic which auto creates the auth types for modules listed in authenticate.

so if you do

authorize {
        if (User-Password) {
                update control {
                        Auth-Type := ldap

authenticate {

Should work fine.

If you're doing EAP then this will need to be in the inner tunnel, with EAP listed before
the if statement (or at leas that's the most efficient way).


Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238

More information about the Freeradius-Users mailing list