Active Directory authenticated VPN

Pisch Tamás pischta at gmail.com
Thu May 6 15:04:32 CEST 2021


>> You can try to set KRB5_TRACE to let libkrb5 write debug logs.
> >>
> > Ok, I did it. When I use kinit, I can see messages in the log. When I
> start
> > freeradius, nothing new appears in the log with
> > tls {
> > start_tls = no
> > }
> > sasl {
> > mech = 'GSSAPI'
> > realm = 'ad.ourdomain.hu'
> > }
>
> Maybe that's a dead-end. I currently don't have the time to locally test
> something like this. And I'm rather reluctant to recommend Kerberos anyway.
>
It's not a problem - if I can authorize with ldap-tls, it is enough for me.
I just wrote two paralell thread: sasl and start_tls. But start_tls is
enough for me, if it works.
Maybe it is useful if I write down again my goal:
I have a Samba based AD. I want to create road warrior vpn, with
authentication and authorization from the AD. Alan said that the Samba howto
 isn't good, because it doesn't explain itself. Ok. But it describes the
elements of the whole thing what I want to realize.
In the past days I understood that I need RADIUS for the authentication
(and it works with winbind_username and winbind_domain parameters set
appropriately) and authorization. For authorization I need the ldap module.
I accept other working solution too.
This is, where I stuck. I don't insist on using sasl at all. I just want to
make authorization work.
Meanwhile I found SoftEther (with that, the second part of the Samba howto
is not needed for me). It seems it can do the vpn part of the task, and it
can use RADIUS (it can authenticate from AD directly, but I haven't found a
way to restrict access to an AD group, so I still need RADIUS).

> In your former message you wrote that you've added LDAP settings to
> ldap.conf. Don't do that.
>
I just wanted to test whether I can query LDAP with ldapsearch, I didn't
want to link the two together.

> Furthermore I'd even recommend to start radiusd with env var
> LDAPNOINIT=1 to prevent libldap to automagically read ldap.conf.
>
Ok, thanks.

>
> Here's a example config to be used for my Æ-DIR:
>
>
> https://gitlab.com/ae-dir/client-examples/-/blob/master/freeradius/ldap.simple-bind

I tried it, freeradius debug message:
SASL/EXTERNAL authentication started
Thu May  6 14:57:03 2021 : Error: rlm_ldap (ldap): Bind with
cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu to ldaps://localhost:636
failed: Unknown authentication method

> And then starting radiusd with option -X is your friend during testing.
>
Yes, I use it always.

Thanks,

Tamás.


More information about the Freeradius-Users mailing list