# That will give you the LDAP information for 'user'.
#
# Group membership can be queried by using the above "ldapsearch" string,
- # and adding "memberof" qualifiers. For ActiveDirectory, use:
+ # and adding "memberof" qualifiers. For Active Directory, use:
#
# ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))'
#
# LDAP "bind as user" configuration to check PAP passwords.
#
- # Active Directory needs "bind as user", which can be done by
- # adding the following "if" statement to the authorize {} section
- # of the virtual server, after the "ldap" module. For
- # example:
+ # Active Directory (or Azure AD) needs "bind as user", which
+ # can be done by adding the following "if" statement to the
+ # authorize {} section of the virtual server, after the
+ # "ldap" module. For example:
#
# ...
# ldap
# "Auth-Type LDAP" in order to do an LDAP "bind as user", which will hand
# the user name / password to AD for verification.
#
+ # Note that this ONLY works if FreeRADIUS receives a
+ # User-Password attribute in the Access-Request packet.
+ # e.g. PAP, or TTLS/PAP.
+ #
+ # CONNECTING TO ACTIVE DIRECTORY OVER LDAP WILL NOT WORK FOR
+ # MS-CHAP OR PEAP/MS-CHAP. ** EVER ***. THERE IS NOTHING YOU CAN
+ # DO TO MAKE IT WORK.
+ #
+ # If you have a local Active Directory server, you can use
+ # Samba and ntlm_auth. See the "mschap" and "ntlm_auth"
+ # modules for more information.
+ #
+ # Unfortunately, you cannot use Samba with Azure AD. You
+ # MUST use PAP or TTLS/PAP.
+ #
#
# Name of the attribute that contains the user DN.
projects / thirdparty / freeradius-server.git / commitdiff
