Authenticate to LDAP with GSSAPI

Brendan Kearney bpk678 at gmail.com
Sun Jun 14 03:27:17 CEST 2015


On 06/13/2015 09:07 PM, William wrote:
> Hi,
>
> I have researched this topic and am unable to find examples or previous
> mailing lists queries about this specific issue.
>
> My issue is NOT using GSSAPI/krb5 to authenticate users and LDAP for
> user details.
>
> I have LDAP for authentication and user details with EAP, but I wish
> for the radiusd ldap connections to authenticate to the ldap server
> with GSSAPI (IE keytab / service account).
>
> The equivalent commands in userspace is:
>
> ldapsearch -Y GSSAPI '(objectClass=*)'
>
> I am unable to find references in the documentation as to how to
> achieve this.
>
> For example my current setup is:
>
> mods-enabled/ldap
>
> ldap {
>          # ... snip ...
>          identity =
> "krbprincipalname=radius/example.com,cn=services,cn=accounts,dc=example
> ,dc=com"
>          password = foo
>          
> }
>
> I would hopefully aim to have something akin to:
>
> ldap {
>          # ... snip ...
>          identity =
> "krbprincipalname=radius/example.com,cn=services,cn=accounts,dc=example
> ,dc=com"
>          krb5_keytab = /etc/raddb/krb5.keytab
>          krb5_principal = radius/example.com
> }
>
> Or even a combination of the keytab settings in mods-enabled/krb5 and
> mods-enabled/ldap.
>
> Does anyone have any experience with such configuration or whether
> freeradius supports the behaviour I would like to achieve?
>
> Sincerely,
>
> William
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
i vote for this functionality, too.


More information about the Freeradius-Users mailing list