Hello Elias,
You probably need to supply some LDAP admin credentials for the bind, because Radiator
asks for the userpassword.
IMHO, you're better off having the LDAP server check the password, because writing the
admin name and pw in your radius cfg file is both a security problem and an update
problem (when you change the admin pw). OTOH, user pw will be in clear over the LDAP
connection...
/Ingvar
-----Original Message-----
From: Elias [mailto:[EMAIL PROTECTED]]
Sent: den 19 september 2001 05:04
To: [EMAIL PROTECTED]
Subject: (RADIATOR) Help with LDAP auth
Hi Hugh,
I'm experimenting with LDAP for authentication and seem to be stuck. I'm totally new
to LDAP and hence am not sure if the problem's with LDAP or my Radiator config. The
authentication seems to work if I supply the additional parameter
ServerChecksPassword. If I omit this, Radiator will return a "No such user" message
all the time. I've included a sample of my config and also the usual trace 4 output.
BTW, I don't know if this is important or not, the password is stored as either
userpassword: {SHA}xxxxxxxx or userpassword: {crypt}xxxxxxxxx. The password differs
depending on when the user was created. Thanks !
------------------ ldap config ---------------------
<Handler Realm=ldap>
RejectHasReason
RewriteUsername s/^([^@]+).*/$1/
<AuthBy LDAP2>
Host ldaptest
BaseDN %0=%1,ou=People,o=tm.net.my,o=isp
# This is the attribute to match the radius user name
UsernameAttr uid
PasswordAttr userpassword
#ServerChecksPassword
AddToReply Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP
</AuthBy>
</Handler>
---------------- trace 4 output (without the ServerChecksPassword option)
----------------
Wed Sep 19 10:28:57 2001: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 60377 ....
Code: Access-Request
Identifier: 206
Authentic: 1234567890123456
Attributes:
User-Name = " anuar@ldap <mailto:anuar@ldap> "
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = "<152><233><<156><157>o<4><246><188>8<9><160><216>}x<153>"
Wed Sep 19 10:28:57 2001: DEBUG: Check if Handler Realm=tm.net.my should be used to
handle this request
Wed Sep 19 10:28:57 2001: DEBUG: Check if Handler Realm=sql should be used to handle
this request
Wed Sep 19 10:28:57 2001: DEBUG: Check if Handler Realm=ldap should be used to handle
this request
Wed Sep 19 10:28:57 2001: DEBUG: Handling request with Handler 'Realm=ldap'
Wed Sep 19 10:28:57 2001: DEBUG: Rewrote user name to anuar
Wed Sep 19 10:28:57 2001: DEBUG: Deleting session for anuar@ldap <mailto:anuar@ldap>
, 203.63.154.1, 1234
Wed Sep 19 10:28:57 2001: DEBUG: Handling with Radius::AuthLDAP2
Wed Sep 19 10:28:57 2001: DEBUG: Connecting to ldaptest, port 389
Wed Sep 19 10:28:57 2001: DEBUG: Attempting to bind with ,
Wed Sep 19 10:28:57 2001: DEBUG: No entries for anuar found in LDAP database
Wed Sep 19 10:28:57 2001: DEBUG: Radius::AuthLDAP2 looks for match with anuar
Wed Sep 19 10:28:57 2001: DEBUG: Connecting to ldaptest, port 389
Wed Sep 19 10:28:57 2001: DEBUG: Attempting to bind with ,
Wed Sep 19 10:28:57 2001: ERR: ldap search failed with error LDAP_NO_SUCH_OBJECT.
Wed Sep 19 10:28:57 2001: INFO: Access rejected for anuar: No such user
Wed Sep 19 10:28:57 2001: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 60377 ....
Code: Access-Reject
Identifier: 206
Authentic: 1234567890123456
Attributes:
Reply-Message = "No such user"
-------------------- trace 4 output (with the ServerChecksPassword option)
---------------------
Wed Sep 19 10:32:06 2001: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 60398 ....
Code: Access-Request
Identifier: 141
Authentic: 1234567890123456
Attributes:
User-Name = " anuar@ldap <mailto:anuar@ldap> "
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password = "<152><233><<156><157>o<4><246><188>8<9><160><216>}x<153>"
Wed Sep 19 10:32:06 2001: DEBUG: Check if Handler Realm=tm.net.my should be used to
handle this request
Wed Sep 19 10:32:06 2001: DEBUG: Check if Handler Realm=sql should be used to handle
this request
Wed Sep 19 10:32:06 2001: DEBUG: Check if Handler Realm=ldap should be used to handle
this request
Wed Sep 19 10:32:06 2001: DEBUG: Handling request with Handler 'Realm=ldap'
Wed Sep 19 10:32:06 2001: DEBUG: Rewrote user name to anuar
Wed Sep 19 10:32:06 2001: DEBUG: Deleting session for anuar@ldap <mailto:anuar@ldap>
, 203.63.154.1, 1234
Wed Sep 19 10:32:06 2001: DEBUG: Handling with Radius::AuthLDAP2
Wed Sep 19 10:32:06 2001: DEBUG: Connecting to ldaptest, port 389
Wed Sep 19 10:32:06 2001: DEBUG: Attempting to bind with ,
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got result for uid=anuar,ou=People, o=tm.net.my,
o=isp
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got mailhost: tm.net.my
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got maildeliveryoption: mailbox
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got mailuserstatus: active
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got objectclass: top person organizationalPerson
inetorgperson inetUsere
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got inetuserstatus: active
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got cn: anuar anuar
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got uid: anuar
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got datasource: iPlanet Messaging Server 5.0
Admin Console
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got givenname: anuar
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got sn: anuar
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got creatorsname:
uid=admin,ou=Administrators,ou=TopologyManagement,o=Nt
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got modifiersname:
uid=admin,ou=Administrators,ou=TopologyManagement,o=t
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got createtimestamp: 20010813065909Z
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got modifytimestamp: 20010813065909Z
Wed Sep 19 10:32:06 2001: DEBUG: Radius::AuthLDAP2 looks for match with anuar
Wed Sep 19 10:32:06 2001: DEBUG: Radius::AuthLDAP2 ACCEPT:
Wed Sep 19 10:32:06 2001: DEBUG: Access accepted for anuar
Wed Sep 19 10:32:06 2001: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 60398 ....
Code: Access-Accept
Identifier: 141
Authentic: 1234567890123456
Attributes:
Framed-Protocol = PPP
Framed-IP-Netmask = 255.255.255.255
Framed-Routing = None
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
- Elias -
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.