Freeradius 3.0.20 ldap integration

Alan DeKok aland at
Mon Dec 6 14:38:58 CET 2021

On Dec 6, 2021, at 5:34 AM, Adrian Schwab <schwab at> wrote:
> so what i'm trying to configure is to set up a freeradius server to authorize and authenticate as user against a ldap server, so users provided in the ldap can access our wifi.

  That works... if everything is set top to work.

> when the authorize with ldap is done (6) the auth-type isn't set properly, it should set it to ldap there doesn't it?


> When I tried to manually set auth-type to ldap to test the behaviour, debug ouptuts that User-Password is required,

  Yes.  Because LDAP is a database.  FreeRADIUS is an authentication server.  FreeRADIUS *should* read the passwords from the database, and then do the authentication.

  In some cases, if there's a User-Password available, FreeRADIUS can do LDAP "bind as user" to check the password.  But that's only possible if there's a User-Password attribute in the packet.

> the ldap user isn't able to read the ldap passwords duo to security reasons,

  As in "it's so secure that users can't get onto WiFi".

> that's why I want to bind as the user which shouldn't have a problem with that does it?

  FreeRADIUS can "bind as user" only if there's a User-Password available.

> Am I doing something wrong with the ldap module or anything else or do I have to have permission to read user passwords in ldap to get what I want?

  Your choices are:

1) have FreeRADIUS read the passwords from LDAP
    1a) passwords in clear text?  All authentication methods will work
    1b) passwords NOT in clear text?  Only TTLS + PAP will work.

2) force FreeRADIUS to do LDAP "bind as user", in which case only TTLS + PAP will work.

  Alan DeKok.

More information about the Freeradius-Users mailing list