On May 4, 2021, at 10:32 AM, Pisch Tamás <pischta@gmail.com> wrote:
ldapsearch -D "admin@ad.ourdomain.hu" -b "dc=ad, dc=ourdomain, dc=hu" -h localhost -s sub "(samaccountname=admin)" ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required.
So... fix that. Get TLS transport working first with ldapsearch. Then, use the same configuration for FreeRADIUS.
kinit admin
ldapsearch -b "dc=ad, dc=ourdomain, dc=hu" -H ldap://localhost -s sub "( samaccountname=admin)" -Y GSSAPI It works. I read a little about it, but I don't know, what I should configure for it. I set KRB5_CLIENT_KTNAME = /tmp/xyz (can I set it freely?) realm = 'AD.OURDOMAIN.HU'
That's all ldap magic. We didn't write OpenLDAP or ldapsearch, so our help here is limited.
I noticed in the debug output of the freeradius server that it uses cached TLS settings. How can I get rid of them?
The debug output doesn't say that. You're probably confusing EAP-TLS debug output for LDAP debug output. They're very different. Both use TLS, but they're not the same. Alan DeKok.