On 5/6/21 3:04 PM, Pisch Tamás wrote:
https://gitlab.com/ae-dir/client-examples/-/blob/master/freeradius/ldap.simp...
I tried it, freeradius debug message: SASL/EXTERNAL authentication started Thu May 6 14:57:03 2021 : Error: rlm_ldap (ldap): Bind with cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu to ldaps://localhost:636 failed: Unknown authentication method
It seems you set SASL mech EXTERNAL. Don't do that if you want to use LDAP simple bind. Without seeing your config I can only guess though. Background: LDAP knows two different method for bind operation: 1. LDAP simple bind, mainly sends the bind-DN and password. As you can see in my ldap.simple-bind example file the line mech = 'EXTERNAL' is commented (disabled) and these lines are used for the simple bind: identity = 'uid=system_radiusd,ou=ae-dir' password = supersecret 2. LDAP SASL bind for which the message format and messages exchanged depend on the SASL mech used. Password-less mechs are e.g. EXTERNAL and GSSAPI. Sending a bind operation with SASL/EXTERNAL instructs the LDAP server to use authc credential information from a lower transport layer. IIRC MS AD and/or Samba4 do not support that. Typically SASL/EXTERNAL is used for authenticating with TLS client certs to the LDAP server as in this example file: https://gitlab.com/ae-dir/client-examples/-/blob/master/freeradius/ldap.sasl... I typically use the EAP-TLS server cert also as LDAP client cert which is directly mapped in Æ-DIR's config to the accompanying aeService entry (which is then authorized to search for users enabled for that service). No way to do things like that in MS AD/Samba4. See small description here: https://www.ae-dir.com/apps.html#wifi
And then starting radiusd with option -X is your friend during testing.
Yes, I use it always.
Good. Ciao, Michael.