error start freeradius -x

Flavio Bono flavio at
Thu Nov 18 21:34:07 CET 2021

thank you for your patience you are very kind to help me,
the server was created today specifically for freeradius, the commands I
launch them from the same server a ubuntu 20.04.

Here are the copies from the console, I replaced the domain with foo and
pluto the password and I did not touch the '

ldap {
        #  Note that this needs to match the name(s) in the LDAP server
        #  certificate, if you're using ldaps.  See OpenLDAP documentation
        #  for the behavioral semantics of specifying more than one host.
        #  Depending on the libldap in use, server may be an LDAP URI.
        #  In the case of OpenLDAP this allows additional the following
        #  additional schemes:
        #  - ldaps:// (LDAP over SSL)
        #  - ldapi:// (LDAP over Unix socket)
        #  - ldapc:// (Connectionless LDAP)
        server = 'srv-dc6.pippo.local'
#       server = 'srv-dc4.pippo.local'
#       server = ''

        #  Port to connect on, defaults to 389, will be ignored for LDAP
#       port = 389

        #  Administrator account for searching and possibly modifying.
        #  If using SASL + KRB5 these should be commented out.
        identity = 'cn=Adminfr,cn=Users,dc=pippo,dc=local'

        password = pluto

        #  Unless overridden in another section, the dn from which all
        #  searches will start from.
        base_dn = 'dc=pippo,dc=local'

ping   srv-dc6.pippo.local
Risposta da byte=32 durata=30ms TTL=62
Risposta da byte=32 durata=30ms TTL=62
Risposta da byte=32 durata=29ms TTL=62

 ldapsearch -H ldap://srv-dc6.pippo.local -x -D
'cn=adminfr,cn=users,dc=pippo,dc=local' -w pluto -b "DC=pippo,DC=local" -a
always "(objectClass=User)" cn

Il giorno gio 18 nov 2021 alle ore 21:06 Alan DeKok <
aland at> ha scritto:

> On Nov 18, 2021, at 2:37 PM, Flavio Bono <flavio at> wrote:
> >
> > Sorry I'm confused,
> > maybe I have not explained well, my intent is to configure the freeradius
> > so that it verifies username and password in the active directories of
> > windows server 2019 through the ldap service.
>   Yes, I understand that.
> > I configured the ldap file and I symlinked the mod_enable directory, I
> > followed some sites and posts to check my error but I always get the same
> > "wrong credentials" result
> >
> > The freeradius at the start keeps saying that the credentials are wrong,
> > but as you can see I have checked them with ldapsearch and they work.
>   Only if you're passing the same things to ldapsearch.
> > I followed what is reported in the ldap file to insert the pameters, but
> I
> > think I should see an example to understand where I am wrong.
>   The "ldapsearch" command you posted doesn't match what's in the
> mods-available/ldap file.
>   It says:
> ldapsearch -D ${identity} -w ${password} -h ${server}  -b
> 'CN=user,${base_dn}'
>   Where you replace ${identity} , etc. with the values you configured in
> the ldap module.
>   You're passing *different* arguments to ldapsearch.  Which means you're
> testing *something different*.  Which means that the tests aren't helpful.
> > Can I find configuration examples to verify my error?
>   The documentation in the server is correct.  The configuration examples
> in the server are correct.
> > I believe that many IT have connected freeradius to the AD of windows
> 2019,
> > and will certainly have changed a few parameters to do so but I cannot
> find
> > a guide that explains it in detail.
>   There's no magic here.  Follow the documentation.  Follow the examples.
> It will work.
>   The only reason it won't work is:
> a) you're passing different things to FreeRADIUS and to ldapsearch
> b) you're running ldapsearch from a different machine than FreeRADIUS, and
> AD doesn't let the FreeRADIUS machine do the queries
>   There really isn't much else.  FreeRADIUS uses the same LDAP libraries
> that ldapsearch uses.  So if ldapsearch works, then FreeRADIUS works.  You
> just have to pass the same things to FreeRADIUS and to ldapsearch.
> > Can you recommend a guide?
>   There's no need for more than what's in the server already.  It works.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list