Problems to authenticate against an Azure AD -Ldap

Alan DeKok aland at
Thu Sep 21 11:31:29 UTC 2023

On Sep 21, 2023, at 7:13 AM, Uwe Faber <uf at> wrote:
> Hi folks, i hopw you can help after reading thousends articles and making  hundred of  trials with the freeradius with no succes.
> Here ist the situation, we have an Azure AD and  for this an ldap server front-end. So i could connect to the AD over the ldap.
> for testing reason i implementet an Local openldap server and testet ist with the eapol test and it works without problems, but if i change the ldap connection to the azure/ldap i got the following error:

  So... "I did a bunch of stuff and it didn't work.  How do I fix it?"

  Answer: do different stuff.

> 5) ldap_khs: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
> (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)

  I still don't understand why people work *very* hard to ignore all of the debug output and the documentation which says POST ALL OF THE DEBUG OUTPUT.

  If you're doing PEAP/MS-CHAP to Azure AD, it won't work.  Stop trying.

  Use EAP-TTLS with PAP, and then use LDAP "bind as user" (Auth-Type LDAP) in order to hand the password to AD.

  Alan DeKok.

More information about the Freeradius-Users mailing list