guide on configuring freeradius 3 LDAP

Douglas C Ward douglas at
Fri Jan 19 06:33:04 CET 2018

Answers below...

> On Jan 18, 2018, at 9:20 PM, Nathan Ward <lists+freeradius at> wrote:
>> On 19/01/2018, at 3:37 PM, Douglas C Ward <douglas at> wrote:
>> Thanks Alan, good stuff. That user is the main admin user for the whole OneLogin account, so I assume that it has the authority to query the LDAP. I’m following the instructions at
>> <>
>> where it specifies…
>> Host name
>> Port	
>> 389: Use for ldap://. For example, if you are not using SSL, use this port number. This port is primarily provided for your convenience for testing and debugging purposes.
>> 636: Use for ldaps://. For example, if you are using SSL, use this port number. We recommend that you use this port for your production implementation.
>> Base DN	dc=<subdomain>,dc=onelogin,dc=com
>> User's Virtual DN	cn=<email>,ou=users,dc=<subdomain>,dc=onelogin,dc=com
>> User's Password	
>> Password value.
> I notice that you’re using 389 which is non-encrypted - once you get that working, probably a good idea to try ldaps if it’s over the Internet - first though, get 389 working before adding in that complexity..

With the LDAP Admin Tool, it works with port 636 doing SSL/TLS too. I will be making the production connection use that, as soon as I get the non SSL/TLS 389 to work.
>> And I’ve been very careful to put those in correctly. I’ve also used the admin credentials with <> < <>> ’s LDAP Admin Tool, and my credentials test correctly, and I get a full list of users in the table view. I’m not sure what else to try here.
> Can you try your manual client with the same filter? (uid=dward at <mailto:uid=dward at><mailto:uid=dward at <mailto:uid=dward at>>)?
> They seem to want to use cn=username at domain rather than uid=username at domain. The uid attribute appears to be the same as uidNumber when I had a look at the OneLogin docs. I don’t know that that’s causing your problem - but it probably doesn’t help.

I tried with substituting uid= for cn= in LDAP Admin Tool, and it doesn’t like like it, saying the credentials are invalid.
> If you can get the search to work with cn=, and uid= doesn’t work in your client, you want to update the “filter” parameter under “user” in mods-available/ldap.

and I tried changing the uid= for cn= in the filter section of the mods-available/ldap file, no dice.

On the OneLogin server, it shows a successful VLDAP login for the admin user admin at <mailto:admin at> every attempt, but nothing for the dward@ user.

> It’s kinda odd to use cn there, but, whatever!
>> Just curious, what would the error message say if I was on 3.0.16?
> If chase_referrals is on, the error is "Operations error with LDAP database.  Please see the LDAP server configuration / documentation for more information.”

Thank you, good to know.

> --
> Nathan Ward
> -
> List info/subscribe/unsubscribe? See <>

More information about the Freeradius-Users mailing list