Identity Governance & Administration (IGA)
July 13, 2020

Freeradius authentication with ldap (opendj)

FreeRadius authentication with LDAP (OpenDJ) Requirements freeRadius Software (Version 3.0.21) OpenDJ (Version 6.5.3) Mac - Linux Environment Installation freeR

FreeRadius authentication with LDAP (OpenDJ)

Requirements

  • freeRadius Software (Version 3.0.21)
  • OpenDJ (Version 6.5.3)
  • Mac - Linux Environment

Installation

  • freeRadius
  1. Installed through Brew
  2. # brew install freeradius-server
  • OpenDJ
  1. Download the latest OpendJ from Forgerock backstage and Install it by running the setup command.
  2. Please make a note of port, password for Directory Manager and BaseDN

Configurations

  • freeRadius
  • freeRadius files to be modified

clients.conf (/usr/local/etc/raddb/clients.conf)

  • we will be using client as localhost and hence ensure

ipaddr = 127.0.0.1 is uncommented and note the client secret

  • Configuring your Default site for LDAP Authentication

Following are the two important directories for managing sites

  • 'sites-available' (/usr/local/Cellar/freeradius-server/3.0.21/etc/raddb/sites-available)- List of different sites supported by freeRadius. We will be using 'Default' for our usecase
  • 'sites-enabled' (/usr/local/Cellar/freeradius-server/3.0.21/etc/raddb/sites-enabled) - list of sites enabled on your freeRadius engine.
  • vi the default site. The following section needs to be checked/modified.

Authorize:

In this section, make sure the mschap option is not commented out. mschap protocol will be used in authentication requests from LDAP user accounts.

Authenticate:

Enable LDAP Authentication. Uncomment the ldap lines as shown int he following figure

Enable LDAP Authentication

Enabling LDAP module

Followign are the two important directories for managing modules

'mods-available' (/usr/local/Cellar/freeradius-server/3.0.21/etc/raddb/mods-available)- List of available modules supported by freeRadius

'mods-enabled' (/usr/local/Cellar/freeradius-server/3.0.21/etc/raddb/mods-enabled) - list of modules enabled on your freeRadius engine.

you will find ldap in 'mods-available'. Create a softlink in 'mods-enabled' directory

#ln -s ../mods-available/ldap ldap

There are following two things to be modified in ldap module.

vi ldap

1. Update the ldap file with LDAP details as in the following screenshot

Enable LDAP Authentication

2. Update the file to map the NT password attribute as in the following screenshot . We will be enabling samba plugin in OpenDJ to support NTPassword.

Enable LDAP Authentication

OpenDJ

Samba, the Windows interoperability suite for Linux and UNIX, stores accounts because UNIX and Windows password storage management is not interoperable.

When you store Samba accounts in OpenDJ, Samba stores its own attributes as defined in the Samba schema. Samba does not use the LDAP standard userPassword attribute to store users' Samba passwords.

1. Create or choose an account for the Samba Administrator:

Create samba.ldif

dn: uid=samba-admin,ou=people,ou=identities

cn: Samba Administrator

givenName: Samba

mail: samba@example.com

objectClass: person

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: top

sn: Administrator

uid: samba-admin

userPassword: xxxxx

#opendj/bin/ldapmodify -h localhost --port '389' --trustAll --bindDN "cn=Directory Manager" --bindPassword 'xxxxx' samba.ldif

2.  Ensure the Samba Administrator can reset user passwords:

Create samba-rights.ldif

dn: uid=samba-admin,ou=people,ou=identities

changetype: modify

add: ds-privilege-name

ds-privilege-name: password-reset

dn: ou=people,ou=identities

changetype: modify

add: aci

aci: (target="ldap:///ou=people,ou=identities") (targetattr ="*")(version 3.0; acl "

Samba Admin user rights"; allow(all) groupdn ="ldap:///uid=samba-user,ou=people,ou=identities";)

#opendj/bin/ldapmodify -h localhost --port '389' --trustAll --bindDN "cn=Directory Manager" --bindPassword 'xxxxx' samba-rights.ldif

3.  Set Up the Samba Password Plugin - Enable Plugin

# ./dsconfig

create-plugin ````

4. Install a LDAP Browser. I have used Apache LDAP Browser.

Add 'sambaSamAccount' object class to an exiting user to be used for testing.

It will prompt for a sambaSID. Add any identifier.

Add following two attributes to the user

sambaLMPassword

sambaNTPassword

Sample User

Add the password in plaintext as expected.

Testing

efore you start tests, ensure freeRadius is running in debug mode so that you can see the logs in full

#radiusd -X

Should show 'Ready to process requests'. If you see some error then it needs to be resolved as we changed quite a few files in the process.

There are following two ways of testing it.

1. Command Prompt:

Format: radtest -t mschap %user_name% %user_password% localhost 1812 %nas_password%

Command used for testing

#radtest -t mschap username password localhost 1812 testingxxxx

2. Through Python

You will need Python with Radius module (#sudo easy_install install py-radius)

#python -m radius

Host : localhost

Port : 1812

Enter RADIUS Secret: testingxxx

Enter your username: username

Enter your password: password

Testing

1. https://medium.com/@georgijsr/freeradius-2-1-12-ubuntu-14-04-server-with-ldap-authentication-and-ldap-fail-over-6611624ff2c9

2. https://github.com/OpenIdentityPlatform/OpenDJ/wiki/Samba-Password-Synchronization

Continue reading
View All
View All
Cyber Security Threats
Global Brands Face ‘Pay or Leak’ Threat as ShinyHunters Escalates Ransomware Tactics
AI Security
March 31, 2026
Enabling Trusted AI Agents with Identity-First Security
Contact us

Get in touch with us

Whether you have a question, need support, or just want to learn more about Trevonix, our team is here to help.
Need help? Our support team is available 24/7 to assist you.
Interested in Trevonix for your business? Reach out to discuss pricing and solutions.
Send us a message
Tell us how we can help you.
chevron down icon
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

See It in Action

See how our approach works in real scenarios, not slides.
Book an IAM consultation to experience solutions shaped by real world use cases.
Book IAM Consultation
Book IAM Consultation

Looking for a trusted IAM partner?

Solutions By Use cases
Privileged Access ManagementWorkforce Access & Authentication SolutionsUnified IAM OfferingsSecurity & AISupply Chain & Third-Party Identity SecurityIdentity Governance & AdministrationZero Trust Identity ArchitectureIdentity for AI & NHIDevOps, API & Cloud Identity SecurityAI-Assisted IdentityDecentralised Identity & Digital WalletsDynamic Authorisation & Access Control Verified Trust & FraudCustomer & Partner Identity Management
Partners
PingIdentityOktaAuth0SaviyntSlashIDTransmit Security
Industries
Banking & Financial ServicesRetail & E-CommerceTelecommunicationsTechnology & IT ServicesEnergy & UtilitiesOther Industries We Cover
Services
Zero Trust ImplementationStaff Augmentation & Embedded Identity ExpertsIdentity Operations & Managed ServicesIAM Modernisation & Cloud MigrationApplication Onboarding & IntegrationIAM Platform ImplementationExpert Identity Services & Programme RecoveryInterim IAM LeadershipIdentity-as-a-Service Regulatory & Compliance AdvisoryIdentity Maturity AssessmentIAM Strategy & Advisory
Resources
News & EventsCase StudiesBlogs & InsightsWhitepapers & GuidesWebinars & Videos
Company
About UsCareerSuccess StoriesContact Us
Support
+44 7833396917contact@trevonix.comLondon, England
© Trevonix. 2026 | All Rights Reserved.
Terms of UsePrivacy Policy
A global leader in Identity and Access Management (IAM) consulting and managed services, Trevonix specialises in delivering cutting-edge IAM solutions across a range of industries.