How to configure non-priveleged LDAP bind in FreeRADIUS 3.0.11

Alan DeKok aland at
Mon Sep 5 15:31:08 CEST 2016

On Sep 5, 2016, at 9:24 AM, Bogdan Rudas via Freeradius-Users <freeradius-users at> wrote:
> I would like to configure LDAP authentication for WiFi users with OpenLDAP
> back-ends (passwords are hashed). To perform initial bind to LDAP database
> I use restricted account which can read directory tree, determine DN on
> user and most of it's attributes but can't read passwords hashes.

  That's may work, if you configure it correctly.

> Then I
> expect FreeRadius to bind with DN found on previous step and user-supplied
> password.

  Does the rlm_ldap module documentation say it does that? 

> When I use admin user account (which can read password hashes) for initial
> bind, authentication test with *radtest *works well, but it is not what I
> want to do.

  Why not?

> I want to keep my OpenLDAP password policy working, this requires true LDAP
> bind attempt with credential of end-user.
> My final destination is EAP-TTLS with PAP inside. Please, help me to
> establish desired LDAP authorization schema. As far as I know it was
> possible in FreeRadius 2.1.x and I believe some additional configuration
> required here.

  You have to force Auth-Type LDAP.

authorize {
	if (noop && User-Password) {
		update control {
			Auth-Type := LDAP

  Do this in raddb/sites-enabled/default, and raddb/sites-enabled/inner-tunnel.  And also add "ldap" to the "authenticate" section for both virtual servers.

  Alan DeKok.

More information about the Freeradius-Users mailing list