AD authorization with LDAP module? Mix with other methods necessary?

Alan DeKok aland at
Wed Jan 22 13:40:11 CET 2020

On Jan 22, 2020, at 2:10 AM, uj2.hahn at wrote:
> I have a running freeradius instance on Ubuntu for authorization against Windows AD, based on ntlm_auth.
> But to get more group depended post-auth capabilities I thought I can switch to LDAP module.


> I tested that in a test installation with OpenLDAP (instead of AD) and it worked fine.
> But now I was going to rollout this method to AD and failed to check the good password.
> Of course I'm aware that OpenLDAP and AD handles passwords differently so the surprise was not too big.
> So my questions are:
> - can I mix ntlm_auth for authorization and LDAP to do some group depended post-auth actions?

  Yes.  They're just modules.  That's why they're listed separately in the configuration.  Because they're separate.

> - is that needed at all and there are ways to run LDAP only (in that case I probably did something
>   wrong so far)?

  AD will not export passwords to FreeRADIUS.  So it's largely impossible to just use LDAP.

  Alan DeKok.

More information about the Freeradius-Users mailing list