Active Directory authenticated VPN

Pisch Tamás pischta at
Tue May 4 16:32:22 CEST 2021

> > membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})'
> > Then the freeradius server says:
> > rlm_ldap (ldap): Connecting to ldap://localhost:389
> > TLS: can't connect: (unknown error code).
> > rlm_ldap (ldap): Could not start TLS: Connect error
>   Is the port even open?  Does the LDAP server accept TLS connections?
> Does ldapsearch work?  Does ldapsearch work with TLS?
ldapsearch -D "admin at" -b "dc=ad, dc=ourdomain, dc=hu" -h
localhost -s sub "(samaccountname=admin)"
ldap_bind: Strong(er) authentication required (8)
        additional info: BindSimple: Transport encryption required.

kinit admin

ldapsearch -b "dc=ad, dc=ourdomain, dc=hu" -H ldap://localhost -s sub "(
samaccountname=admin)" -Y GSSAPI
 It works. I read a little about it, but I don't know, what I should
configure for it.
I set
KRB5_CLIENT_KTNAME = /tmp/xyz    (can I set it freely?)
I noticed in the debug output of the freeradius server that it uses cached
TLS settings. How can I get rid of them?

>   You can't just give up and go "there's an error, I don't know what else
> to do".  You have to track down the source of the error.

You are right.

>   Find each piece of the problem, and test it individually.  It's the only
> way to track down these kind of issues.
Surely, I don't understand very well this system. You said I have to read
the documentation. Yes, I used to do it.

>   Are you running a version of CentOS or RedHat with broken LDAP libraries?
I use Debian Bullseye, Samba AD installed on it.

>   See for more information.
Bullseye is not on that list, but freeradius-ldap 3.0.21 is installed for



More information about the Freeradius-Users mailing list