I mean: I set KRB5_CLIENT_KTNAME and realm in the ldap module. Other changes in the ldap module:
Just configure it as documented.
RTFM answers huts me. I try the best. If I set something wrong, please tell me. If I miss some settings, please tell me. That helps me. I *do* read the documentation.
identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu'
password=…
base_dn = 'dc=ad,dc=ourdomain,dc=hu' realm { mech = 'GSSAPI' KRB5_CLIENT_KTNAME = /tmp/freeradius_ktab realm = 'ad.ourdomain.hu' } What is that? You can't just invent configuration sections and expect the server to magically understand what you want. There is nothing in the documentation which says that this "realm" subsection exists.
Sorry, it was wrong, it is sasl, and I used it correctly in the configuration file, I just wrote wrongly here. I don't insist on using sasl, TLS would be good. Some days ago ldapsearch didn't work with start_tls, but worked with GSSAPI, this is why I tried that direction. People who are really eager to use Kerberos could probably just set SASL
mech GSSAPI and let libkrb5 do the work. Configuration can be done outside of FreeRADIUS with some env vars:
https://web.mit.edu/kerberos/krb5-devel/doc/user/user_config/kerberos.html#e...
I've already read it. I know that I should set environmental variables. I tried KRB5_CONFIG, but krb5.conf didn't even appear in the freeradius debug output. I wrote the following into ldap.conf: TLS_CACERT /etc/ssl/certs/ca-certificates.crt BASE DC=AD,DC=OURDOMAIN,DC=HU TLS_REQCERT allow And ldapsearch works now: ldapsearch -h 127.0.0.1 -D "cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu" -W -b "dc=ad,dc=ourdomain,dc=hu" -s sub -x -ZZ -LLL "(cn=Administrator)" So, in ldap.conf I commented the sasl parameters, and enabled start_tls.I still need in the ldap module: identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu' password = '...' freeradius starts, but when I try radtest -x -t mschap vpn@ad.ourdomain.hu "..." localhost 0 pwd in the freeradius debug output I see: Error: rlm_ldap (ldap): Bind with cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu to ldap://localhost:389 failed: Strong(er) authentication required Error: rlm_ldap (ldap): Server said: BindSimple: Transport encryption required.. Thanks, Tamas.