AD group Auth

Matthew Newton mcn at
Thu Aug 15 17:06:27 CEST 2019

On Thu, 2019-08-15 at 14:13 +0200, Alex Jordaan wrote:
> I configured the winbind and joined it to the AD domain
> I configured Freeradius to use mschap with ntlm_auth to authenticate
> the users from AD
> This worked fine.
> I am now trying to configure the system to only allow authentication
> if a user belongs to a specific group on AD

You might be able to use the rlm_unix module to compare the group, when
you're using winbind, but I wouldn't.

You've already been advised to use the ldap module. Your debug output
hasn't got either the unix or ldap modules in it.

Configure rlm_ldap, and use that. It's the best solution for AD groups.

Then you'll need to use "LDAP-Group" to compare instead of "Group".

LDAP instructions are all on the wiki.


More information about the Freeradius-Users mailing list