Tobias Hachmer wrote: > The Test MS AD Server has domain functional level "2008 R2" and quite > default settings.
Active directory is not really an LDAP server. The reasons are complicated. It's almost an LDAP server, but it's different in critical ways. > In radiusd -X output the ldap module performs first the ldap bind with > the identity which is configured in ldap module configuration. After > that the ldap bind with user credentials provided in access-request packet: ... > Is the first ldap bind really necessary or can I configure in ldap > module something like "bind as user" to avoid the requirement to have a > service user account in AD? The first search is necessary to determine the User-DN to use for the second search. You can't get rid of the read-only admin account. If you set the LDAP-UserDN manually, you'll get rid of the first bind. But the server needs the admin account for LDAP to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html