From 23affff37565b3f29b353c7731db5c2f6e655162 Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Thu, 21 Sep 2023 07:35:39 -0400 Subject: [PATCH] document notes about Azure AD --- raddb/mods-available/ldap | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/raddb/mods-available/ldap b/raddb/mods-available/ldap index 997d41efcbdf2..7d3ef66df593a 100644 --- a/raddb/mods-available/ldap +++ b/raddb/mods-available/ldap @@ -41,7 +41,7 @@ ldap { # That will give you the LDAP information for 'user'. # # Group membership can be queried by using the above "ldapsearch" string, - # and adding "memberof" qualifiers. For ActiveDirectory, use: + # and adding "memberof" qualifiers. For Active Directory, use: # # ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))' # @@ -152,10 +152,10 @@ ldap { # LDAP "bind as user" configuration to check PAP passwords. # - # Active Directory needs "bind as user", which can be done by - # adding the following "if" statement to the authorize {} section - # of the virtual server, after the "ldap" module. For - # example: + # Active Directory (or Azure AD) needs "bind as user", which + # can be done by adding the following "if" statement to the + # authorize {} section of the virtual server, after the + # "ldap" module. For example: # # ... # ldap @@ -174,6 +174,21 @@ ldap { # "Auth-Type LDAP" in order to do an LDAP "bind as user", which will hand # the user name / password to AD for verification. # + # Note that this ONLY works if FreeRADIUS receives a + # User-Password attribute in the Access-Request packet. + # e.g. PAP, or TTLS/PAP. + # + # CONNECTING TO ACTIVE DIRECTORY OVER LDAP WILL NOT WORK FOR + # MS-CHAP OR PEAP/MS-CHAP. ** EVER ***. THERE IS NOTHING YOU CAN + # DO TO MAKE IT WORK. + # + # If you have a local Active Directory server, you can use + # Samba and ntlm_auth. See the "mschap" and "ntlm_auth" + # modules for more information. + # + # Unfortunately, you cannot use Samba with Azure AD. You + # MUST use PAP or TTLS/PAP. + # # # Name of the attribute that contains the user DN.