Active Directory authenticated VPN
Pisch Tamás
pischta at gmail.com
Tue May 4 16:32:22 CEST 2021
>
> > membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})'
> > Then the freeradius server says:
> > rlm_ldap (ldap): Connecting to ldap://localhost:389
> > TLS: can't connect: (unknown error code).
> > rlm_ldap (ldap): Could not start TLS: Connect error
>
> Is the port even open? Does the LDAP server accept TLS connections?
> Does ldapsearch work? Does ldapsearch work with TLS?
>
ldapsearch -D "admin at ad.ourdomain.hu" -b "dc=ad, dc=ourdomain, dc=hu" -h
localhost -s sub "(samaccountname=admin)"
ldap_bind: Strong(er) authentication required (8)
additional info: BindSimple: Transport encryption required.
kinit admin
ldapsearch -b "dc=ad, dc=ourdomain, dc=hu" -H ldap://localhost -s sub "(
samaccountname=admin)" -Y GSSAPI
It works. I read a little about it, but I don't know, what I should
configure for it.
I set
KRB5_CLIENT_KTNAME = /tmp/xyz (can I set it freely?)
realm = 'AD.OURDOMAIN.HU'
I noticed in the debug output of the freeradius server that it uses cached
TLS settings. How can I get rid of them?
> You can't just give up and go "there's an error, I don't know what else
> to do". You have to track down the source of the error.
You are right.
> Find each piece of the problem, and test it individually. It's the only
> way to track down these kind of issues.
>
Surely, I don't understand very well this system. You said I have to read
the documentation. Yes, I used to do it.
>
> Are you running a version of CentOS or RedHat with broken LDAP libraries?
>
I use Debian Bullseye, Samba AD installed on it.
>
> See http://packages.networkradius.com for more information.
>
Bullseye is not on that list, but freeradius-ldap 3.0.21 is installed for
me.
>
Thanks,
Tamas.
More information about the Freeradius-Users
mailing list