Active Directory authenticated VPN
aland at deployingradius.com
Tue May 4 16:51:28 CEST 2021
On May 4, 2021, at 10:32 AM, Pisch Tamás <pischta at gmail.com> wrote:
> ldapsearch -D "admin at ad.ourdomain.hu" -b "dc=ad, dc=ourdomain, dc=hu" -h
> localhost -s sub "(samaccountname=admin)"
> ldap_bind: Strong(er) authentication required (8)
> additional info: BindSimple: Transport encryption required.
So... fix that.
Get TLS transport working first with ldapsearch. Then, use the same configuration for FreeRADIUS.
> kinit admin
> ldapsearch -b "dc=ad, dc=ourdomain, dc=hu" -H ldap://localhost -s sub "(
> samaccountname=admin)" -Y GSSAPI
> It works. I read a little about it, but I don't know, what I should
> configure for it.
> I set
> KRB5_CLIENT_KTNAME = /tmp/xyz (can I set it freely?)
> realm = 'AD.OURDOMAIN.HU'
That's all ldap magic. We didn't write OpenLDAP or ldapsearch, so our help here is limited.
> I noticed in the debug output of the freeradius server that it uses cached
> TLS settings. How can I get rid of them?
The debug output doesn't say that. You're probably confusing EAP-TLS debug output for LDAP debug output. They're very different. Both use TLS, but they're not the same.
More information about the Freeradius-Users