Active Directory authenticated VPN

Alan DeKok aland at
Wed May 5 16:43:49 CEST 2021

On May 5, 2021, at 10:24 AM, Pisch Tamás <pischta at> wrote:
>>  So... fix that.
>>  Get TLS transport working first with ldapsearch.  Then, use the same
>> configuration for FreeRADIUS.
>  Another way is when I use GSSAPI, not TLS.

  So far as I know, the OpenLDAP client library doesn't support GSSAPI.  If it does, then FreeRADIUS doesn't use it, because TLS is so much more common.

> I mean:  I set KRB5_CLIENT_KTNAME and realm in the ldap module.
> Other changes in the ldap module:

  Just configure it as documented.

> identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu'
> password=…
> base_dn = 'dc=ad,dc=ourdomain,dc=hu'
> realm {
>  mech = 'GSSAPI'
>  KRB5_CLIENT_KTNAME = /tmp/freeradius_ktab
>  realm = ''
> }

   What is that?  You can't just invent configuration sections and expect the server to magically understand what you want.

  There is nothing in the documentation which says that this "realm" subsection exists.

  Your choices are:

a) use the documented configuration to connect FreeRADIUS to LDAP

b) invent things, and don't have FreeRADIUS connect to LDAP.

  Alan DeKok.

More information about the Freeradius-Users mailing list