You can try to set KRB5_TRACE to let libkrb5 write debug logs.
Ok, I did it. When I use kinit, I can see messages in the log. When I start freeradius, nothing new appears in the log with tls { start_tls = no } sasl { mech = 'GSSAPI' realm = 'ad.ourdomain.hu' }
Maybe that's a dead-end. I currently don't have the time to locally test something like this. And I'm rather reluctant to recommend Kerberos anyway.
It's not a problem - if I can authorize with ldap-tls, it is enough for me. I just wrote two paralell thread: sasl and start_tls. But start_tls is enough for me, if it works. Maybe it is useful if I write down again my goal: I have a Samba based AD. I want to create road warrior vpn, with authentication and authorization from the AD. Alan said that the Samba howto isn't good, because it doesn't explain itself. Ok. But it describes the elements of the whole thing what I want to realize. In the past days I understood that I need RADIUS for the authentication (and it works with winbind_username and winbind_domain parameters set appropriately) and authorization. For authorization I need the ldap module. I accept other working solution too. This is, where I stuck. I don't insist on using sasl at all. I just want to make authorization work. Meanwhile I found SoftEther (with that, the second part of the Samba howto is not needed for me). It seems it can do the vpn part of the task, and it can use RADIUS (it can authenticate from AD directly, but I haven't found a way to restrict access to an AD group, so I still need RADIUS).
In your former message you wrote that you've added LDAP settings to ldap.conf. Don't do that.
I just wanted to test whether I can query LDAP with ldapsearch, I didn't want to link the two together.
Furthermore I'd even recommend to start radiusd with env var LDAPNOINIT=1 to prevent libldap to automagically read ldap.conf.
Ok, thanks.
Here's a example config to be used for my Æ-DIR:
https://gitlab.com/ae-dir/client-examples/-/blob/master/freeradius/ldap.simp...
I tried it, freeradius debug message: SASL/EXTERNAL authentication started Thu May 6 14:57:03 2021 : Error: rlm_ldap (ldap): Bind with cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu to ldaps://localhost:636 failed: Unknown authentication method
And then starting radiusd with option -X is your friend during testing.
Yes, I use it always. Thanks, Tamás.