Migrating FR 3.0.19 from using WINBIND to LDAP for AD auth

Mathieu Simon (Lists) matsimon.lists at simweb.ch
Mon Aug 19 09:47:21 CEST 2019

Hi Jason

Am 19.08.2019 um 08:29 schrieb WAGHORN, Jason (NHS BORDERS) via

>> How does changing the auth method alter who can get on?
Configure the LDAP module and insert group checks in the post-auth
section as mentioned in the wiki:

> If I use NTLM_AUTH/WINBIND - it's harder to restrict access to a particular AD Group ("valid user, valid credentials = accept" versus LDAP: "valid user, valid credentials, correct group entry = accept") - no?
AFAIR using ntlm_auth all you can do is provide a single the option
"--require-membership-of" to the execution of "ntlm_auth =
/usr/bin/ntlm_auth ..." in mods-available/mschap.

However: If you need to permit more than one group or specific user
attributes, overall using LDAP is just easier to do a post-auth check.

This way you also clearly separate authentication from authorization
which also helps during issues when you read debug logs since it will
easily tell you if authentication OR authorization has caused a

> Since I've read here over the past week or so everyone simply says "use LDAP" when the question of AD group restriction is posed - I got the impression that moving to LDAP would be the way to go...
Yes, for authorization it is "use LDAP". You are tied to
ntlm_auth/libwbinfo in terms of authentication due to the clear-text
passwords being unavailable through Active Directory.[1]

-- Mathieu

[1] http://deployingradius.com/documents/configuration/active_directory.html

More information about the Freeradius-Users mailing list