Active Directory authenticated VPN

Pisch Tamás pischta at gmail.com
Thu May 6 10:28:17 CEST 2021


> > I mean:  I set KRB5_CLIENT_KTNAME and realm in the ldap module.
> > Other changes in the ldap module:
>
>   Just configure it as documented.
>
RTFM answers huts me. I try the best. If I set something wrong, please tell
me. If I miss some settings, please tell me. That helps me. I *do* read the
documentation.

>
> > identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu'
> >
> > password=…
> >
> > base_dn = 'dc=ad,dc=ourdomain,dc=hu'
> > realm {
> >  mech = 'GSSAPI'
> >  KRB5_CLIENT_KTNAME = /tmp/freeradius_ktab
> >  realm = 'ad.ourdomain.hu'
> > }
>    What is that?  You can't just invent configuration sections and expect
> the server to magically understand what you want.
>   There is nothing in the documentation which says that this "realm"
> subsection exists.
>
Sorry, it was wrong, it is sasl, and I used it correctly in the
configuration file, I just wrote wrongly here.
I don't insist on using sasl, TLS would be good. Some days ago ldapsearch
didn't work with start_tls, but worked with GSSAPI, this is why I tried
that direction.

People who are really eager to use Kerberos could probably just set SASL
> mech GSSAPI and let libkrb5 do the work.
> Configuration can be done outside of FreeRADIUS with some env vars:
>
> https://web.mit.edu/kerberos/krb5-devel/doc/user/user_config/kerberos.html#environment-variables
>
I've already read it. I know that I should set environmental variables. I
tried KRB5_CONFIG, but krb5.conf didn't even appear in the freeradius debug
output.

I wrote the following into ldap.conf:
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
BASE    DC=AD,DC=OURDOMAIN,DC=HU
TLS_REQCERT     allow
And ldapsearch works now:
ldapsearch -h 127.0.0.1 -D
"cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu" -W -b
"dc=ad,dc=ourdomain,dc=hu" -s sub -x -ZZ -LLL "(cn=Administrator)"
So, in ldap.conf I commented the sasl parameters, and enabled start_tls.I
still need in the ldap module:
identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu'
password = '...'
freeradius starts, but when I try
radtest -x -t mschap vpn at ad.ourdomain.hu "..." localhost 0 pwd
in the freeradius debug output I see:
Error: rlm_ldap (ldap): Bind with
cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu to ldap://localhost:389
failed: Strong(er) authentication required
Error: rlm_ldap (ldap): Server said: BindSimple: Transport encryption
required..

Thanks,
Tamas.


More information about the Freeradius-Users mailing list