1 files changed, 22 insertions, 5 deletions

diff --git a/raddb/mods-available/ldap b/raddb/mods-available/ldap
index 997d41e..d5838ff 100644
--- a/raddb/mods-available/ldap
+++ b/raddb/mods-available/ldap
@@ -41,7 +41,7 @@ ldap {
 	#  That will give you the LDAP information for 'user'.
 	#
 	#  Group membership can be queried by using the above "ldapsearch" string,
-	#  and adding "memberof" qualifiers.  For ActiveDirectory, use:
+	#  and adding "memberof" qualifiers.  For Active Directory, use:
 	#
 	#    ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))'
 	#
@@ -152,10 +152,10 @@ ldap {
 
 	#  LDAP "bind as user" configuration to check PAP passwords.
 	#
-	#  Active Directory needs "bind as user", which can be done by
-	#  adding the following "if" statement to the authorize {} section
-	#  of the virtual server, after the "ldap" module.  For
-	#  example:
+	#  Active Directory (or Azure AD) needs "bind as user", which
+	#  can be done by adding the following "if" statement to the
+	#  authorize {} section of the virtual server, after the
+	#  "ldap" module.  For example:
 	#
 	#    ...
 	#    ldap
@@ -174,6 +174,23 @@ ldap {
 	#  "Auth-Type LDAP" in order to do an LDAP "bind as user", which will hand
 	#  the user name / password to AD for verification.
 	#
+	#  Note that this ONLY works if FreeRADIUS receives a
+	#  User-Password attribute in the Access-Request packet.
+	#  e.g. PAP, or TTLS/PAP.
+	#
+	#  USING MS-CHAP OR PEAP/MS-CHAP WITH ACTIVE DIRECTORY OVER LDAP WILL NOT WORK.
+	#
+	#		** EVER ***.
+	#
+	#  THERE IS NOTHING YOU CAN DO TO MAKE IT WORK.
+	#
+	#  If you have a local Active Directory server, you can use
+	#  Samba and ntlm_auth.  See the "mschap" and "ntlm_auth"
+	#  modules for more information.
+	#
+	#  Unfortunately, you cannot use Samba with Azure AD.  You
+	#  MUST use PAP or TTLS/PAP.
+	#
 
 	#
 	#  Name of the attribute that contains the user DN.