RE: (RADIATOR) Help with LDAP auth

Ingvar Berg (ERA) Tue, 18 Sep 2001 23:01:25 -0700
Hello Elias,
 
You probably need to supply some LDAP admin credentials for the bind, because Radiator 
asks for the userpassword.
 
IMHO, you're better off having the LDAP server check the password, because writing the 
admin name and pw in your radius cfg file is both a security problem and an update 
problem (when you change the admin pw). OTOH, user pw will be in clear over the LDAP 
connection...
 
/Ingvar

-----Original Message-----
From: Elias [mailto:[EMAIL PROTECTED]]
Sent: den 19 september 2001 05:04
To: [EMAIL PROTECTED]
Subject: (RADIATOR) Help with LDAP auth


Hi Hugh,
 
I'm experimenting with LDAP for authentication and seem to be stuck. I'm totally new 
to LDAP and hence am not sure if the problem's with LDAP or my Radiator config. The 
authentication seems to work if I supply the additional parameter 
ServerChecksPassword. If I omit this, Radiator will return a "No such user" message 
all the time. I've included a sample of my config and also the usual trace 4 output.  
BTW, I don't know if this is important or not, the password is stored as either 
userpassword: {SHA}xxxxxxxx or userpassword: {crypt}xxxxxxxxx. The password differs 
depending on when the user was created. Thanks !
 
 
 
------------------ ldap config ---------------------
 
<Handler Realm=ldap>
        RejectHasReason
        RewriteUsername s/^([^@]+).*/$1/
 
         <AuthBy LDAP2>
                Host            ldaptest
                BaseDN       %0=%1,ou=People,o=tm.net.my,o=isp
                
                # This is the attribute to match the radius user name
                UsernameAttr    uid
                PasswordAttr    userpassword
                #ServerChecksPassword
 
                AddToReply Framed-Protocol = PPP,\
                        Framed-IP-Netmask = 255.255.255.255,\
                        Framed-Routing = None,\
                        Framed-MTU = 1500,\
                        Framed-Compression = Van-Jacobson-TCP-IP
        </AuthBy>
</Handler>

---------------- trace 4 output (without the ServerChecksPassword option) 
----------------
Wed Sep 19 10:28:57 2001: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 60377 ....
Code:       Access-Request
Identifier: 206
Authentic:  1234567890123456
Attributes:
        User-Name = " anuar@ldap <mailto:anuar@ldap> "
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = "<152><233><<156><157>o<4><246><188>8<9><160><216>}x<153>"
 
Wed Sep 19 10:28:57 2001: DEBUG: Check if Handler Realm=tm.net.my should be used to 
handle this request
Wed Sep 19 10:28:57 2001: DEBUG: Check if Handler Realm=sql should be used to handle 
this request
Wed Sep 19 10:28:57 2001: DEBUG: Check if Handler Realm=ldap should be used to handle 
this request
Wed Sep 19 10:28:57 2001: DEBUG: Handling request with Handler 'Realm=ldap'
Wed Sep 19 10:28:57 2001: DEBUG: Rewrote user name to anuar
Wed Sep 19 10:28:57 2001: DEBUG:  Deleting session for anuar@ldap <mailto:anuar@ldap> 
, 203.63.154.1, 1234
Wed Sep 19 10:28:57 2001: DEBUG: Handling with Radius::AuthLDAP2
Wed Sep 19 10:28:57 2001: DEBUG: Connecting to ldaptest, port 389
Wed Sep 19 10:28:57 2001: DEBUG: Attempting to bind with , 
Wed Sep 19 10:28:57 2001: DEBUG: No entries for anuar found in LDAP database
Wed Sep 19 10:28:57 2001: DEBUG: Radius::AuthLDAP2 looks for match with anuar
Wed Sep 19 10:28:57 2001: DEBUG: Connecting to ldaptest, port 389
Wed Sep 19 10:28:57 2001: DEBUG: Attempting to bind with , 
Wed Sep 19 10:28:57 2001: ERR: ldap search failed with error LDAP_NO_SUCH_OBJECT.
Wed Sep 19 10:28:57 2001: INFO: Access rejected for anuar: No such user
Wed Sep 19 10:28:57 2001: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 60377 ....
Code:       Access-Reject
Identifier: 206
Authentic:  1234567890123456
Attributes:
        Reply-Message = "No such user"

 
-------------------- trace 4 output (with the ServerChecksPassword option) 
---------------------
 
Wed Sep 19 10:32:06 2001: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 60398 ....
Code:       Access-Request
Identifier: 141
Authentic:  1234567890123456
Attributes:
        User-Name = " anuar@ldap <mailto:anuar@ldap> "
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = "<152><233><<156><157>o<4><246><188>8<9><160><216>}x<153>"
 
Wed Sep 19 10:32:06 2001: DEBUG: Check if Handler Realm=tm.net.my should be used to 
handle this request
Wed Sep 19 10:32:06 2001: DEBUG: Check if Handler Realm=sql should be used to handle 
this request
Wed Sep 19 10:32:06 2001: DEBUG: Check if Handler Realm=ldap should be used to handle 
this request
Wed Sep 19 10:32:06 2001: DEBUG: Handling request with Handler 'Realm=ldap'
Wed Sep 19 10:32:06 2001: DEBUG: Rewrote user name to anuar
Wed Sep 19 10:32:06 2001: DEBUG:  Deleting session for anuar@ldap <mailto:anuar@ldap> 
, 203.63.154.1, 1234
Wed Sep 19 10:32:06 2001: DEBUG: Handling with Radius::AuthLDAP2
Wed Sep 19 10:32:06 2001: DEBUG: Connecting to ldaptest, port 389
Wed Sep 19 10:32:06 2001: DEBUG: Attempting to bind with , 
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got result for uid=anuar,ou=People, o=tm.net.my, 
o=isp
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got mailhost: tm.net.my
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got maildeliveryoption: mailbox
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got mailuserstatus: active
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got mail: [EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]> 
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got objectclass: top person organizationalPerson 
inetorgperson inetUsere
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got inetuserstatus: active
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got cn: anuar anuar
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got uid: anuar
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got datasource: iPlanet Messaging Server 5.0 
Admin Console
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got givenname: anuar
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got sn: anuar
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got creatorsname: 
uid=admin,ou=Administrators,ou=TopologyManagement,o=Nt
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got modifiersname: 
uid=admin,ou=Administrators,ou=TopologyManagement,o=t
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got createtimestamp: 20010813065909Z
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got modifytimestamp: 20010813065909Z
Wed Sep 19 10:32:06 2001: DEBUG: Radius::AuthLDAP2 looks for match with anuar
Wed Sep 19 10:32:06 2001: DEBUG: Radius::AuthLDAP2 ACCEPT: 
Wed Sep 19 10:32:06 2001: DEBUG: Access accepted for anuar
Wed Sep 19 10:32:06 2001: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 60398 ....
Code:       Access-Accept
Identifier: 141
Authentic:  1234567890123456
Attributes:
        Framed-Protocol = PPP
        Framed-IP-Netmask = 255.255.255.255
        Framed-Routing = None
        Framed-MTU = 1500
        Framed-Compression = Van-Jacobson-TCP-IP

 
- Elias -

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Help with LDAP auth

Reply via email to
