FreeRADIUS + Cisco + Active Directory

Matthew Newton mcn4 at
Wed Jan 6 12:28:20 CET 2016

On Wed, Jan 06, 2016 at 09:55:42AM +0000, A.L.M.Buxey at wrote:
> > Is there a way to check Active Directory Group Membership without using
> > LDAP from the post-auth section?
> errr, AD is an LDAP system....  even if you used eg PERL or Python instead of the built-in LDAP
> functionality you'd still be using LDAP modules in those languages to talk to AD....

Well if you've joined the machine to AD with Samba you can use

  net ads user info <username>

to get a list of the user's groups, but why? It's likely slower
than LDAP and you also have to parse the output.

The only case I can think that you might do this would be with
libwbclient, but even then LDAP is probably faster.

> please define the problem statement  :/

Exactly. What's wrong with LDAP here?


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list