Authenticate to LDAP with GSSAPI
William
william at firstyear.id.au
Sun Jun 14 03:07:20 CEST 2015
Hi,
I have researched this topic and am unable to find examples or previous
mailing lists queries about this specific issue.
My issue is NOT using GSSAPI/krb5 to authenticate users and LDAP for
user details.
I have LDAP for authentication and user details with EAP, but I wish
for the radiusd ldap connections to authenticate to the ldap server
with GSSAPI (IE keytab / service account).
The equivalent commands in userspace is:
ldapsearch -Y GSSAPI '(objectClass=*)'
I am unable to find references in the documentation as to how to
achieve this.
For example my current setup is:
mods-enabled/ldap
ldap {
# ... snip ...
identity =
"krbprincipalname=radius/example.com,cn=services,cn=accounts,dc=example
,dc=com"
password = foo
}
I would hopefully aim to have something akin to:
ldap {
# ... snip ...
identity =
"krbprincipalname=radius/example.com,cn=services,cn=accounts,dc=example
,dc=com"
krb5_keytab = /etc/raddb/krb5.keytab
krb5_principal = radius/example.com
}
Or even a combination of the keytab settings in mods-enabled/krb5 and
mods-enabled/ldap.
Does anyone have any experience with such configuration or whether
freeradius supports the behaviour I would like to achieve?
Sincerely,
William
More information about the Freeradius-Users
mailing list