Active Directory authenticated VPN

Wed May 5 16:24:52 CEST 2021

>   So... fix that.
>   Get TLS transport working first with ldapsearch.  Then, use the same
> configuration for FreeRADIUS.
>
  Another way is when I use GSSAPI, not TLS.

>
> > kinit admin
> >
> > ldapsearch -b "dc=ad, dc=ourdomain, dc=hu" -H ldap://localhost -s sub "(
> > samaccountname=admin)" -Y GSSAPI
> > It works. I read a little about it, but I don't know, what I should
> > configure for it.
> > I set
> > KRB5_CLIENT_KTNAME = /tmp/xyz    (can I set it freely?)
> > realm = 'AD.OURDOMAIN.HU'
>
>   That's all ldap magic.  We didn't write OpenLDAP or ldapsearch, so our
> help here is limited.
>
I mean:  I set KRB5_CLIENT_KTNAME and realm in the ldap module.
Other changes in the ldap module:

identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu'

password=…

base_dn = 'dc=ad,dc=ourdomain,dc=hu'
realm {
  mech = 'GSSAPI'
  KRB5_CLIENT_KTNAME = /tmp/freeradius_ktab
  realm = 'ad.ourdomain.hu'
}

Debug output:

Wed May  5 16:06:54 2021 : Debug: rlm_ldap (ldap): Connecting to
ldap://localhost:389
Wed May  5 16:06:54 2021 : Debug: rlm_ldap (ldap): New libldap handle
0x5603f6c668b0
Wed May  5 16:06:54 2021 : Debug: rlm_ldap (ldap): Starting SASL mech(s):
GSSAPI
SASL/GSSAPI authentication started
Wed May  5 16:06:54 2021 : Debug: rlm_ldap (ldap): SASL challenge :
Authorization Name
Wed May  5 16:06:54 2021 : Debug: rlm_ldap (ldap): SASL prompt    : Please
enter your authorization name
Wed May  5 16:06:54 2021 : Debug: rlm_ldap (ldap): SASL result    :
cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu
Wed May  5 16:06:54 2021 : Error: rlm_ldap (ldap): Bind with
cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu to ldap://localhost:389
failed: Local error

But

kinit Administrator

works.
Thanks,
Tamas.