authenticating against local LDAP and Jumpcloud LDAP

Alan DeKok aland at
Tue Feb 16 21:53:40 CET 2016

On Feb 16, 2016, at 2:46 PM, Michael Martinez <mwtzzz at> wrote:
>>  Why not just configure LDAP directly in FreeRADIUS?  The server has done LDAP for oh, 15 years now.
> In fact I would like to do this. But I haven't gotten far enough into
> the documentation to know how. Perhaps just uncommenting the ldap
> lines in the authorize section is sufficient.

  More than that.  You have to configure raddb/mods-enabled/ldap with the credentials to your LDAP server.

> There doesn't appear to be any difference, either is simply a basic
> username like "test1" "test2". In the debug output they look like
> this:
> User-Name = "test2"

 That's a problem.  A big one.

> Perhaps this is something REALMs would help distinguish?

  Yes.  Most users should be using email addresses for their identifiers.  i.e. "user at my.domain.tld".  That way you can easily distinguish users from different domain.

> Looking
> through inner-tunnel I see there is a suffix call that tries to
> determine which realm is provided. In my case, the realm is null for
> all users. If I were to create jumpcloud usernames with
> user at something, what would the "suffix" routine do with it, and would
> I be able to test for this in an if statement?

  Yes.  And You'll have to create "jumpcloud" as a LOCAL realm.  See raddb/proxy.conf.

  There are many ways to do this.  The simplest way is to describe what you have, and what you want to do .  We can then help you create the best configuration.

  Alan DeKok.

More information about the Freeradius-Users mailing list