On 10/29/23 11:27 AM, Alan DeKok wrote:
On Oct 29, 2023, at 10:36 AM, Stefan Kania <stefan@kania-online.de> wrote:
I have configured freeradius to use gssapi for authentication while searching the LDAP for users or hosts. Now I can't start the debugmode anymore. Everytime I try I'm getting: ---------- rlm_ldap (ldap): Connecting to ldaps://ldap-r01.example.net:636 ldaps://ldap-r02.example.net:636 rlm_ldap (ldap): Starting SASL mech(s): gssapi SASL/GSSAPI authentication started rlm_ldap (ldap): Bind with (anonymous) to ldaps://ldap-r01.example.net:636 ldaps://ldap-r02.example.net:636 failed: Local error The "Local error" message is coming from libldap. So there's some libldap issue which is causing the problem.
If you're using kerberos, it's likely some kerberos setup issue.
i.e. kerberos is set up for the "radiusd" user, but not for the UID you're using when running the server in debug mode,
So either run the server as the "radiusd" user in debug mode via su / sudo / etc., or allow that UID to use kerberos and connect to ldap.
The log from the LDAP-server is showing: ---------- Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 ACCEPT from IP=192.168.56.47:34490 (IP=0.0.0.0:636) Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 op=0 UNBIND Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 closed That's unhelpful.
Running freeradius normal I can search for a user end check authentication with username and password ... So as you can see, authentication via Kerberos for the search and authentication of users is working. When running as the UID which has permission to talk to ldap.
To do the next step, switch to user-authentication via certificate, I want to start the debugmode, but I could not figure out how to get the debugmode running with Kerberos authentication :-( Is there a way to get it running? Changing UIDs should work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have a script that exports an env variable with the keytab specified and then runs raduisd -X. this necessary for radius to pick up the kerberos creds in the keytab and be able to bind to the directory. #!/bin/bash export KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab radiusd -X export KRB5_CLIENT_KTNAME= this requires that the principal in the keytab, radius/host.domain.tld@REALM, be mapped to an identity and be able to query the directory.