Help with ldap integration into Active directory

Josh McMillan joshm at
Mon Aug 5 09:16:41 CEST 2019

From: Josh McMillan
Sent: Monday, 5 August 2019 5:12 PM
To: 'freeradius-users at' <freeradius-users at>
Subject: Help ldap integration into Active directory

From: Josh McMillan
Sent: Monday, 5 August 2019 5:10 PM
To: 'freeradius-users at' <freeradius-users at<mailto:freeradius-users at>>
Subject: Help ldap integration into Active directory

I’m new to free radius so forgive the ignorance as I try and articulate the set up im trying to achieve here.

Currently I have a free radius server running off a centos server:
·         Running Freeradius FreeRADIUS Version 3.0.13
·         Centos version CentOS Linux release 7.6.1810 (Core)

The overall design idea at the moment is clients will connect via l2tp vpn with a preshared key against a vyos then get challenged for AD credentials which are then passed to the Freeradius server.
-The goal is then to use ldap to query active directory – locked down to a specific security group
- Then use samba / ntlm_auth to handle the actual username/ password authentication.
- Most of this has been up until I started trying to refine the ldap search  and move the authentication part away from ldap which when I ran radiusd –X I could see in the output that ldap was still being used past the query stage.
- Since modifying those folders im for ever chasing loops in the /etc/raddb/mods-enabled/ldap file for things 'rlm_group': /usr/lib64/freeradius/ cannot open shared object file: No such file or directory’
- Unfortunately I don’t have a complete grasp oh how all these protocols interact / leverage off each other to do specific jobs and im at the point now that if I continue I will bugger up the config and have to start again.

Any assistance with this would be fantastic.

-          Can provide configs if need be.


-          L2tp vpn auth works fine

-          Radius / samba / ntlm_auth originally worked well – issue was any users in AD would authenticate rather then the specific group im targeting

-          Tried modifying the Ldap file in /etc/raddb/mods-enabled/ldap and feel like im digging my own grave by this point as error after error appears


Josh McMillan
Systems & Network Administrator
 [cid:image001.png at 01D3016E.7BC03220]
6/11 Evans Street, Burwood, Vic 3125 
Tel: 03 9029 0431 Fax: 03 9888 7176
[cid:image002.png at 01D3016E.7BC03220]<>
This email and any attachments may contain personal information or information that is otherwise confidential or the subject of copyright. OpusV does not warrant that this email or any attachments are free from viruses or defects. If this e-mail is received in error please delete it and notify us by return e-mail.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 5427 bytes
Desc: image001.png
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2013 bytes
Desc: image002.png
URL: <>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Radiusd-xoutput.txt
URL: <>

More information about the Freeradius-Users mailing list