Freeradius, Kerberos and Openldap GSSAPI-SASL service principal issue

Dario García Díaz-Miguel dgdiaz at
Fri Sep 18 11:53:43 CEST 2020

Hi there,

I'm writing to this mailing list looking for some help in order to configure Freeradius on a Kerberos and OpenLDAP GSSAPI-SASL infrastructure.
We have everything working flawlessly. Freeradius service and server is working fine with krb5 and ldap modules enabled. The problem is when we need to start the freeradius service.
The service only starts if you manually issue a ticket for the service kerberos principal or the host principal.
This is such a strange behavior I can't understand.

Krb5 module:
krb5 {
                keytab = /etc/radius.keytab
                service_principal = radius/
                pool {
                               start = ${thread[pool].start_servers}
                               min = ${thread[pool].min_spare_servers}
                               max = ${thread[pool].max_servers}
                               spare = ${thread[pool].max_spare_servers}
                               uses = 0
                               lifetime = 0
                               idle_timeout = 0

The keytab /etc/radius.keytab contains the keys for the service principal radius/
The service should be able to access to the keytab to asks automatically for a ticket for radius/ But it doesn't. Instead, the service fails until we issue for a new ticket:

kinit -k -t /etc/radius.keytab radius/

The ownership of this keytab is radiusd:radiusd and it has  reading permissions 440. But I've also tried with 777 with no luck

The reason because it does not understand is that ldap has anon bind disallowed and the freeradius service tries an anonymous bind.
I know that according to the rules I should have posted the full output debug log but I'm afraid that since it's a totally isolated environment, I can't extract the whole log.
Error: rlm_ldap (ldap): Bind with (anonymous) to ldap:// failed: Local error
Error: rlm_ldap (ldap): Opening connection failed (0)
Error: rlm_ldap (ldap): Error: /etc/raddb/mods-enabled/ldap [8]: Instantiation failed for module "ldap"

This is how the ldap module SASL section looks:

sasl {
                mech = 'GSSAPI'
                realm ='EX.AMPLE.COM'

The most weird behavior is that If we issue a host ticket (kinit -k) it starts and bind correctly using the host/ service principal. No matter that the service principal configured on krb5 module is radius/

Any ideas about how to proceed and the reasons why this happens?

We are running the 3.0.15-2.11.2 freeradius version on SuSE12 SP3.

Thank you so much.
Kind Regards.

Dario Garcia
GGCS SKMF Infrastructure Division
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
+34 918 07 21 00
+34 918 07 21 99

P Please consider the environment before printing this e-mail.

More information about the Freeradius-Users mailing list