Active Directory authenticated VPN
Michael Ströder
michael at stroeder.com
Thu May 6 15:41:07 CEST 2021
On 5/6/21 3:04 PM, Pisch Tamás wrote:
>> https://gitlab.com/ae-dir/client-examples/-/blob/master/freeradius/ldap.simple-bind
>
> I tried it, freeradius debug message:
> SASL/EXTERNAL authentication started
> Thu May 6 14:57:03 2021 : Error: rlm_ldap (ldap): Bind with
> cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu to ldaps://localhost:636
> failed: Unknown authentication method
It seems you set SASL mech EXTERNAL. Don't do that if you want to use
LDAP simple bind. Without seeing your config I can only guess though.
Background: LDAP knows two different method for bind operation:
1. LDAP simple bind, mainly sends the bind-DN and password. As you can
see in my ldap.simple-bind example file the line
mech = 'EXTERNAL'
is commented (disabled) and these lines are used for the simple bind:
identity = 'uid=system_radiusd,ou=ae-dir'
password = supersecret
2. LDAP SASL bind for which the message format and messages exchanged
depend on the SASL mech used. Password-less mechs are e.g. EXTERNAL and
GSSAPI.
Sending a bind operation with SASL/EXTERNAL instructs the LDAP server to
use authc credential information from a lower transport layer. IIRC MS
AD and/or Samba4 do not support that.
Typically SASL/EXTERNAL is used for authenticating with TLS client certs
to the LDAP server as in this example file:
https://gitlab.com/ae-dir/client-examples/-/blob/master/freeradius/ldap.sasl-external
I typically use the EAP-TLS server cert also as LDAP client cert which
is directly mapped in Æ-DIR's config to the accompanying aeService entry
(which is then authorized to search for users enabled for that service).
No way to do things like that in MS AD/Samba4.
See small description here:
https://www.ae-dir.com/apps.html#wifi
>> And then starting radiusd with option -X is your friend during testing.
>>
> Yes, I use it always.
Good.
Ciao, Michael.
More information about the Freeradius-Users
mailing list