AD authorization with LDAP module? Mix with other methods necessary?

uj2.hahn at uj2.hahn at
Wed Jan 22 20:06:34 CET 2020

Thanks, Alan and Jason!
And sorry to ask these questions for 451st time.... ;-)


On 22.01.2020 13:40, Alan DeKok wrote:
> On Jan 22, 2020, at 2:10 AM, uj2.hahn at wrote:
>> I have a running freeradius instance on Ubuntu for authorization against Windows AD, based on ntlm_auth.
>> But to get more group depended post-auth capabilities I thought I can switch to LDAP module.
>    Yes.
>> I tested that in a test installation with OpenLDAP (instead of AD) and it worked fine.
>> But now I was going to rollout this method to AD and failed to check the good password.
>> Of course I'm aware that OpenLDAP and AD handles passwords differently so the surprise was not too big.
>> So my questions are:
>> - can I mix ntlm_auth for authorization and LDAP to do some group depended post-auth actions?
>    Yes.  They're just modules.  That's why they're listed separately in the configuration.  Because they're separate.
>> - is that needed at all and there are ways to run LDAP only (in that case I probably did something
>>    wrong so far)?
>    AD will not export passwords to FreeRADIUS.  So it's largely impossible to just use LDAP.
>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list