Active Directory authenticated VPN
Michael Ströder
michael at stroeder.com
Wed May 5 22:53:43 CEST 2021
On 5/5/21 9:48 PM, Alan DeKok wrote:
> On May 5, 2021, at 3:42 PM, Michael Ströder via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>>
>> On 5/5/21 4:43 PM, Alan DeKok wrote:
>>> So far as I know, the OpenLDAP client library doesn't support GSSAPI.
>>
>> Not true.
>>
>> It depends on whether it was built with Kerberos support (using MIT
>> Kerberos or heimdal libs). I guess on most Linux systems libldap has
>> SASL/GSSAPI support.
>
> The LDAP module already has a "sasl { .. .}" section. But anything
> GSSAPI is either unsupported, or is some magic part of sasl which I
> choose to ignore, because it's too complex. :)
People who are really eager to use Kerberos could probably just set SASL
mech GSSAPI and let libkrb5 do the work.
Configuration can be done outside of FreeRADIUS with some env vars:
https://web.mit.edu/kerberos/krb5-devel/doc/user/user_config/kerberos.html#environment-variables
Anyway it's harder to get this right (means secure) than using TLS.
Ciao, Michael.
More information about the Freeradius-Users
mailing list