Google Secure LDAP

Arran Cudbard-Bell a.cudbardb at
Wed Jun 12 01:50:32 CEST 2019

> On Jun 12, 2019, at 2:07 AM, eko at wrote:
> I'm attempting to use Google Secure LDAP solution for authentication and authorization. I'm not able to use this with a supplicant such as a laptop/phone, radtest is working fine which leads me to believe it's an issue of the password being hashed by mschap.
> I understand from reading previous threads that I need to use EAP-TTLS-PAP or PEAP-GTC. How can I get freeradius to work with Google Secure LDAP? When freeradius does do an ldap bind which user attribute is it looking for? I think userPassword but in this case I don't think it exists.

Generally if the password attribute isn't available you attempt a bind against the LDAP server instead and use the result of that to determine if you should accept or reject the user.

As the contents of the TTLS tunnel is provided when calling the inner tunnel virtual server you need to do the check there.

Add the following at the top of the authorize section

if (User-Password) {
	update control {
		Auth-Type := LDAP

In the authentication section add:


You should now see that when you use EAP-TTLS-PAP or PEAP-GTC that the LDAP module attempts a bind against the LDAP server with the user's credentials.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <>

More information about the Freeradius-Users mailing list