I am trying to get Radiator to authenticate against LDAP and Open Directory on an OS X server. Here's what my config file looks like at this point.
# opendirectory.cfg # # Example Radiator configuration file. # This very simple file will allow you to get started with # OpenDirectory LDAP. # # Open Directory stores passwords in a proprietary encrypted format # and therfore requires the new ServerChecksPassword parameter # # This example works with the example DemoCorp directory provided # with OpenDirectory. You will need to edit the "Cosine User Id" # and "User Password" for users in the DemoCorp directory whom # you want to authenticate. The config will look for the user name # matching "Cosine User Id", so use your DXplorer or similar to # set "Cosine User Id" to be your dialup user name, and # "User Pasword" to be the dialup password. # # See radius.cfg for more complete examples of features and # syntax, and refer to the reference manual for a complete description # of all the features and syntax. # # You should consider this file to be a starting point only # $Id: opendirectory.cfg,v 1.1 2000/02/15 07:12:00 mikem Exp $
Foreground LogStdout LogDir . DbDir . AuthPort 1812 AcctPort # You will probably want to change this to suit your site. <Client DEFAULT> Secret mysecret DupInterval 0 </Client>
<Realm DEFAULT> <AuthBy LDAP2> # Open Directory has proprietary encrypted passwords # so we must get the server to check them. ServerChecksPassword
Host aaa.bbb.ccc.ddd address obscured to protect the accused
BaseDN cn=users,dc=cvrti,dc=utah,dc=edu
UsernameAttr uid
# Open Directory is happy with multiple requests # on one connection HoldServerConnection
# You can use CheckAttr, ReplyAttr and AuthAttrDef # to specify check and reply attributes int eh LDAP # database. See the reference manual for more # information
# These are the classic things to add to each users # reply to allow a PPP dialup session. It may be # different for your NAS. This will add some # reply items to everyone's reply AddToReply Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.255,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Framed-Compression = Van-Jacobson-TCP-IP
# You can enable debugging of the Net::LDAP # module with this: Debug 255 </AuthBy> # Log accounting to the detail file in LogDir AcctLogFileName ./detail </Realm>
And here is the debug information that I am getting back. It looks to me like the LDAP system doesn't like the HASHed information it is getting. I'm not enough of a "perl head" to know how to fix this issue.
Thanks for any and all information,
Phil
Net::LDAP=HASH(0x9a3258) sending:
30 0C 02 01 01 60 07 02 01 02 04 00 80 00 __ __ 0....`........
0000 12: SEQUENCE { 0002 1: INTEGER = 1 0005 7: [APPLICATION 0] { 0007 1: INTEGER = 2 000A 0: STRING = '' 000C 0: [CONTEXT 0] 000E : } 000E : } Net::LDAP=HASH(0x9a3258) received:
30 32 02 01 01 61 2D 0A 01 02 04 00 04 26 72 65 02...a-......&re 71 75 65 73 74 65 64 20 70 72 6F 74 6F 63 6F 6C quested protocol 20 76 65 72 73 69 6F 6E 20 6E 6F 74 20 61 6C 6C version not all 6F 77 65 64 __ __ __ __ __ __ __ __ __ __ __ __ owed
0000 50: SEQUENCE {
0002 1: INTEGER = 1
0005 45: [APPLICATION 1] {
0007 1: ENUM = 2
000A 0: STRING = ''
000C 38: STRING = 'requested protocol version not allowed'
0034 : }
0034 : }
Thu Sep 30 09:57:43 2004: ERR: Could not bind connection with , , error: LDAP_PROTOCOL_ERROR (server aaa.bbb.ccc.ddd:389)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html