default authentication via windows active directory LDAP instead of /users

Alan DeKok aland at
Wed Mar 8 16:53:50 CET 2017

> On Mar 8, 2017, at 10:38 AM,  Konstantin Knaab-Hinrichs <paradonym at> wrote:
> To solve this I removed the comment from 
>          chase_referrals = yes
>          rebind = yes
> in the tls section of /modules/ldap

  Those entries aren't in the "tls" section of raddb/modules/ldap.

> and restarted the service and freeradius -X.

  Did you READ the output, to see if it's using the "chase_referrals" configuration?  It will print out the LDAP module config, including all of the settings.  If there's no "chase_referrals = yes" in the debug output, then you edited the wrong thing.

> The warning messages hadn't changed. Everything described in the .conf files should now be the way it should.
> somehow describes something different than the installed .conf files.

  Because you're using version 2, which is end of life.  Version 3 is the officially supported version.

>  (the wiki links to this article) states that eap.conf (/freeradius/eap.conf in my case) that nothing has to be changed in eap.conf if you use Microsoft PEAP - which I think is the case for a microsoft domain controller.

  That is written by someone else, and I wouldn't believe any third-party documentation.  It might be correct, but third-party documentation is more often wrong.

> After editing /sites-available/inner-tunnel (the mods-available alternative for debian I think) like the above link states results in these messages when trying to debug-start freeradius
> /etc/freeradius/sites-enabled/inner-tunnel[170]: ERROR: Unknown value ldap for attribute Auth-Type
> /etc/freeradius/sites-enabled/inner-tunnel[169]: Failed to parse "update" subsection.
> /etc/freeradius/sites-enabled/inner-tunnel[48]: Errors parsing authorize section.

  The server you're running includes TONS of documentation in the configuration files.  That documentation explains how the server works, and what each configuration item does.  I suggest reading those, instead of random third-party web sites.

  The FreeRADIUS documentation has said for YEARS to not set Auth-Type.  If that third-party page is telling you to set "Auth-Type = LDAP", it's wrong.

  I also suggest upgrading to version 3.  It's much better.

> LDAP connection seems to be possible ([ldap] Bind was successful) and ++[ldap] = fail states that the LDAP didn't reply to the specific question if $USER is in the database or specifically said it isn't in the db.

  The debug output says what it's doing, and what happens.  Read it.

  And, follow the documentation on my web site:

  It has detailed instructions for getting PEAP to work, and getting the server to work with AD.  The page has been up for over 10 years.  It's correct.  It will work for version 2 or version 3, if you pay attention to small differences between the versions.

  It WILL work.

  I just have no idea why people spend so much time (a) ignoring the debug output of the server, and (b) following crappy third-party documentation instead of official FreeRADIUS docs.  It just makes no sense.

  Alan DeKok.

More information about the Freeradius-Users mailing list