On Sep 21, 2023, at 10:59 AM, Uwe Faber <uf@zkm.de> wrote:
here the debug output ... (5) eap_ttls: User-Name = "testuser@karlshochschule.de" (5) eap_ttls: User-Password = "password"
So EAP-TTLS with PAP. That's good.
(5) ldap_khs: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
yeah... Read https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-avail... There's documentation for this.
ldap_msgfree rlm_ldap (ldap_khs): Released connection (5) Need 4 more connections to reach min connections (5) rlm_ldap (ldap_khs): Opening additional connection (6), 1 of 9 pending slots used rlm_ldap (ldap_khs): Connecting to ldaps://ldap.karlshochschule.de:636 ldap_create ldap_url_parse_ext(ldaps://ldap.karlshochschule.de:636) TLS: warning: cacertdir not implemented for gnutls
And using gnutls (in libldap) with OpenSSL (for EAP-TTLS) is likely to cause issues. We've put more checks and warnings into v3 which complain about this issue. But they exist only in the debug output, which usually means that they're hard to find. Alan DeKok.