membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})' Then the freeradius server says: rlm_ldap (ldap): Connecting to ldap://localhost:389 TLS: can't connect: (unknown error code). rlm_ldap (ldap): Could not start TLS: Connect error
Is the port even open? Does the LDAP server accept TLS connections? Does ldapsearch work? Does ldapsearch work with TLS?
ldapsearch -D "admin@ad.ourdomain.hu" -b "dc=ad, dc=ourdomain, dc=hu" -h localhost -s sub "(samaccountname=admin)" ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required. kinit admin ldapsearch -b "dc=ad, dc=ourdomain, dc=hu" -H ldap://localhost -s sub "( samaccountname=admin)" -Y GSSAPI It works. I read a little about it, but I don't know, what I should configure for it. I set KRB5_CLIENT_KTNAME = /tmp/xyz (can I set it freely?) realm = 'AD.OURDOMAIN.HU' I noticed in the debug output of the freeradius server that it uses cached TLS settings. How can I get rid of them?
You can't just give up and go "there's an error, I don't know what else to do". You have to track down the source of the error.
You are right.
Find each piece of the problem, and test it individually. It's the only way to track down these kind of issues.
Surely, I don't understand very well this system. You said I have to read the documentation. Yes, I used to do it.
Are you running a version of CentOS or RedHat with broken LDAP libraries?
I use Debian Bullseye, Samba AD installed on it.
See http://packages.networkradius.com for more information.
Bullseye is not on that list, but freeradius-ldap 3.0.21 is installed for me.
Thanks, Tamas.