Active Directory authenticated VPN

Alan DeKok aland at
Tue May 4 16:51:28 CEST 2021

On May 4, 2021, at 10:32 AM, Pisch Tamás <pischta at> wrote:
> ldapsearch -D "admin at" -b "dc=ad, dc=ourdomain, dc=hu" -h
> localhost -s sub "(samaccountname=admin)"
> ldap_bind: Strong(er) authentication required (8)
>        additional info: BindSimple: Transport encryption required.

  So... fix that.

  Get TLS transport working first with ldapsearch.  Then, use the same configuration for FreeRADIUS.

> kinit admin
> ldapsearch -b "dc=ad, dc=ourdomain, dc=hu" -H ldap://localhost -s sub "(
> samaccountname=admin)" -Y GSSAPI
> It works. I read a little about it, but I don't know, what I should
> configure for it.
> I set
> KRB5_CLIENT_KTNAME = /tmp/xyz    (can I set it freely?)
> realm = 'AD.OURDOMAIN.HU'

  That's all ldap magic.  We didn't write OpenLDAP or ldapsearch, so our help here is limited.

> I noticed in the debug output of the freeradius server that it uses cached
> TLS settings. How can I get rid of them?

  The debug output doesn't say that.  You're probably confusing EAP-TLS debug output for LDAP debug output.  They're very different.  Both use TLS, but they're not the same.

  Alan DeKok.

More information about the Freeradius-Users mailing list