FreeRADIUS 3.0.x and user authentification against Novell eDirectory without Universal Password

Martin Kozelsk√Ĺ martin.kozelsky at
Wed Apr 8 11:51:48 CEST 2020

>> Or any advice?
>   Configure anonymous search.  Configure bind as user.  Run the "ldap" module in the "authenticate" section.
>   Delete all eDirectory magic from the configuration.
>   Alan DeKok/

It works!


1. in file sites-enabled/default & inner-tunnel:
a) section authorize {}

        #  The ldap module reads passwords from the LDAP database.
        if ((ok || updated) && User-Password) {
                update {
                        control:Auth-Type := ldap

b) section authenticate {}

        # Uncomment it if you want to use ldap for authentication
        # Note that this means "check plain-text password against
        # the ldap database", which means that EAP won't work,
        # as it does not supply a plain-text password.
        #  We do NOT recommend using this.  LDAP servers are databases.
        #  They are NOT authentication servers.  FreeRADIUS is an
        #  authentication server, and knows what to do with authentication.
        #  LDAP servers do not.
        Auth-Type LDAP {

2. in file mods-enabled/ldap (it is default):

        #  Set to yes if you have eDirectory and want to use the universal
        #  password mechanism.
        edir = no

        #  Set to yes if you want to bind as the user after retrieving the
        #  Cleartext-Password. This will consume the login grace, and
        #  verify user authorization.
        edir_autz = no

It is all.

Thank you

Martin Kozelsky

More information about the Freeradius-Users mailing list