diff options
Diffstat (limited to '')
| -rw-r--r-- | raddb/mods-available/ldap | 27 | ||||
| -rw-r--r-- | raddb/mods-available/ldap_google | 2 |
2 files changed, 23 insertions, 6 deletions
diff --git a/raddb/mods-available/ldap b/raddb/mods-available/ldap index 997d41e..d5838ff 100644 --- a/raddb/mods-available/ldap +++ b/raddb/mods-available/ldap @@ -41,7 +41,7 @@ ldap { # That will give you the LDAP information for 'user'. # # Group membership can be queried by using the above "ldapsearch" string, - # and adding "memberof" qualifiers. For ActiveDirectory, use: + # and adding "memberof" qualifiers. For Active Directory, use: # # ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))' # @@ -152,10 +152,10 @@ ldap { # LDAP "bind as user" configuration to check PAP passwords. # - # Active Directory needs "bind as user", which can be done by - # adding the following "if" statement to the authorize {} section - # of the virtual server, after the "ldap" module. For - # example: + # Active Directory (or Azure AD) needs "bind as user", which + # can be done by adding the following "if" statement to the + # authorize {} section of the virtual server, after the + # "ldap" module. For example: # # ... # ldap @@ -174,6 +174,23 @@ ldap { # "Auth-Type LDAP" in order to do an LDAP "bind as user", which will hand # the user name / password to AD for verification. # + # Note that this ONLY works if FreeRADIUS receives a + # User-Password attribute in the Access-Request packet. + # e.g. PAP, or TTLS/PAP. + # + # USING MS-CHAP OR PEAP/MS-CHAP WITH ACTIVE DIRECTORY OVER LDAP WILL NOT WORK. + # + # ** EVER ***. + # + # THERE IS NOTHING YOU CAN DO TO MAKE IT WORK. + # + # If you have a local Active Directory server, you can use + # Samba and ntlm_auth. See the "mschap" and "ntlm_auth" + # modules for more information. + # + # Unfortunately, you cannot use Samba with Azure AD. You + # MUST use PAP or TTLS/PAP. + # # # Name of the attribute that contains the user DN. diff --git a/raddb/mods-available/ldap_google b/raddb/mods-available/ldap_google index 03c98d3..9487c4b 100644 --- a/raddb/mods-available/ldap_google +++ b/raddb/mods-available/ldap_google @@ -21,7 +21,7 @@ # username and password. That username and password should be used # below. # -# Ensure the Goolge client configuration which is used for FreeRADIUS +# Ensure the Google client configuration which is used for FreeRADIUS # has sufficient permissions to read user information, and, if group # membership is part of the FreeRADIUS policy, ensure that the client # can read group information. This configuration is done on Google's |