Migrating FR 3.0.19 from using WINBIND to LDAP for AD auth

Matthew Newton mcn at freeradius.org
Fri Aug 16 16:42:34 CEST 2019

On Fri, 2019-08-16 at 14:22 +0000, WAGHORN, Jason (NHS BORDERS) via
Freeradius-Users wrote:
> I'm planning to migrate the AD authentication method we use from
> WINBIND/NTLM_AUTH to LDAP to be able to control who has access to use
> devices.

Are you confusing authentication and authorisation?

How does changing the auth method alter who can get on?

> I'm sensing that the way to do this is to disable the ntlm_auth
> module, configure the ldap module, enable the ldap module and then
> modify the site config to use ldap instead of ntlm_auth?

Using LDAP (with AD) for auth will restrict you to using PAP methods
only. So basically TTLS/PAP.

> Has anyone else done it and have a set of steps to follow that they
> are willing to share? Just trying to avoid reinventing the wheel.

Sounds like you just need to keep ntlm/winbind auth and add an LDAP
lookup to check that the user authenticating is actually allowed on or


More information about the Freeradius-Users mailing list