Hi Steve -
You would set up two (or more) AuthBy LDAP2 clauses.
Something like this:
<Handler>
AuthByPolicy ContinueUntilAccept
<AuthBy LDAP2>
….
</AuthBy>
<AuthBy LDAP2>
….
</AuthBy>
….
</Handler>
The reference manual “doc/ref.pdf” has been reorganised, see sections 3.9.11
and 3.9.12.
regards
Hugh
> On 20 Aug 2020, at 10:47, Steve Phillips <[email protected]> wrote:
>
> Hi Guys,
>
> Just a couple of queries about setting up Radiator 4.24 to bind to LDAP as a
> user.
>
> I currently have the following AuthBy LDAP2 configuration
>
> <Handler>
> <AuthBy LDAP2>
> Host 10.0.0.50
>
> # Microsoft AD also listens on port 3268, and
> # requests received on that port are reported to be
> # more compliant with standard LDAP, so you may want to use:
> #Port 3268
>
> AuthDN uid=%U
> AuthPassword %P
> BaseDN ou=example users,dc=example,dc=com
> Scope sub
> ServerChecksPassword
> UnbindAfterServerChecksPassword
> UsernameAttr sAMAccountName
> #HoldServerConnection
> AuthAttrDef logonHours,MS-Login-Hours,check
>
> # Get user group memberships from this attribute
> GroupMembershipAttr memberOf
> </AuthBy>
> </Handler>
>
> My users are under a basedn as above but are in two different folders/Org
> Units
>
> ou=users1,ou=example users,dc=example,dc=com
> ou=users2,ou=example users,dc=example,dc=com
>
> as a result, I can’t easily setup a user auth using “AuthDN
> uid=%U,ou=users1,ou=example users,dc=example,dc=com” as some users will be in
> users2
>
> When I was playing with FreeRadius I could set the Ldap-UserDN to
> %[email protected] and this would successfully authenticate the user, but if I
> set AuthDN %[email protected] in radiator (I assume this is the same due to
> the error message saying it attempted a bind as [email protected]) I get a
> credential error
>
> 00000000 Thu Aug 20 09:48:48 2020 103966: ERR: AuthLDAP2 Could not bind
> connection with [email protected], **obscured**, error:
> LDAP_INVALID_CREDENTIALS (server 10.0.0.50 port 389).
> 00000000 Thu Aug 20 09:48:48 2020 104273: ERR: AuthLDAP2 Backing off from
> 10.0.0.50 port 389 for 600 seconds.
>
> How would you “bind” as that user in radiator when you have users scattered
> across multiple sub containers (I really don’t want to bind as a robot
> account as this presents an issue security wise)
>
> I addition to this, someone asked a few years back (2004) about the timeout
> issue with an incorrect user creating a bad bind with a 10 min backoff. Hugh
> responded saying to look at section 6.35.19 in the Radiator 3.9 manual and
> this no longer exists ☺ He mentioned a ‘Timeout” directive, which I tried
> (Timeout 0) to no effect, how would you reduce this backoff on ‘bad user’ to
> essentially 0? (or at least, less than 10 Mins each time someone types their
> password incorrectly) ?
>
> Thanks in advance!
>
> --
> Steve.
>
>
> _______________________________________________
> radiator mailing list
> [email protected]
> https://lists.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
[email protected]
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, macOS, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
