I am trying to get Radiator to authenticate against LDAP and Open Directory on an OS X server. Here's what my config file looks like at this point.
# opendirectory.cfg # # Example Radiator configuration file. # This very simple file will allow you to get started with # OpenDirectory LDAP. # # Open Directory stores passwords in a proprietary encrypted format # and therfore requires the new ServerChecksPassword parameter # # This example works with the example DemoCorp directory provided # with OpenDirectory. You will need to edit the "Cosine User Id" # and "User Password" for users in the DemoCorp directory whom # you want to authenticate. The config will look for the user name # matching "Cosine User Id", so use your DXplorer or similar to # set "Cosine User Id" to be your dialup user name, and # "User Pasword" to be the dialup password. # # See radius.cfg for more complete examples of features and # syntax, and refer to the reference manual for a complete description # of all the features and syntax. # # You should consider this file to be a starting point only # $Id: opendirectory.cfg,v 1.1 2000/02/15 07:12:00 mikem Exp $
Foreground
LogStdout
LogDir .
DbDir .
AuthPort 1812
AcctPort
# You will probably want to change this to suit your site.
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client><Realm DEFAULT>
<AuthBy LDAP2>
# Open Directory has proprietary encrypted passwords
# so we must get the server to check them.
ServerChecksPasswordHost aaa.bbb.ccc.ddd address obscured to protect the accused
BaseDN cn=users,dc=cvrti,dc=utah,dc=edu
UsernameAttr uid
# Open Directory is happy with multiple requests
# on one connection
HoldServerConnection # You can use CheckAttr, ReplyAttr and AuthAttrDef
# to specify check and reply attributes int eh LDAP
# database. See the reference manual for more
# information # These are the classic things to add to each users
# reply to allow a PPP dialup session. It may be
# different for your NAS. This will add some
# reply items to everyone's reply
AddToReply Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP # You can enable debugging of the Net::LDAP
# module with this:
Debug 255
</AuthBy>
# Log accounting to the detail file in LogDir
AcctLogFileName ./detail
</Realm>And here is the debug information that I am getting back. It looks to me like the LDAP system doesn't like the HASHed information it is getting. I'm not enough of a "perl head" to know how to fix this issue.
Thanks for any and all information,
Phil
Net::LDAP=HASH(0x9a3258) sending:
30 0C 02 01 01 60 07 02 01 02 04 00 80 00 __ __ 0....`........
0000 12: SEQUENCE {
0002 1: INTEGER = 1
0005 7: [APPLICATION 0] {
0007 1: INTEGER = 2
000A 0: STRING = ''
000C 0: [CONTEXT 0]
000E : }
000E : }
Net::LDAP=HASH(0x9a3258) received:30 32 02 01 01 61 2D 0A 01 02 04 00 04 26 72 65 02...a-......&re 71 75 65 73 74 65 64 20 70 72 6F 74 6F 63 6F 6C quested protocol 20 76 65 72 73 69 6F 6E 20 6E 6F 74 20 61 6C 6C version not all 6F 77 65 64 __ __ __ __ __ __ __ __ __ __ __ __ owed
0000 50: SEQUENCE {
0002 1: INTEGER = 1
0005 45: [APPLICATION 1] {
0007 1: ENUM = 2
000A 0: STRING = ''
000C 38: STRING = 'requested protocol version not allowed'
0034 : }
0034 : }
Thu Sep 30 09:57:43 2004: ERR: Could not bind connection with , , error: LDAP_PROTOCOL_ERROR (server aaa.bbb.ccc.ddd:389)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
