Hello, I wanted to know how do u do SASL EXTERNAL binding for LDAP server through radiator for a network switch I have added the SSLclient ceritificate and SSLCA certificate in radiator path.
Below are the further details of the radiator configurations radius.cfg <Client DEFAULT> Secret mysecret DupInterval 0 </Client> # Authenticate all realms with this # Authenticate all realms with this <Realm DEFAULT> <AuthBy LDAP2> # Tell Radiator how to talk to the LDAP server Host localhost # Tell the LDAP server to authenticate the LDAP bind # with SASL: UseSASL # When you are using SASL authentication to connect to # the LDAP server, Radiator will # use AuthDN and AuthPassword to authenticate using # SASL instead of the default simple authentication. # In this example, we have # configured a SASL user called mikem into the SASL # user database using saslpasswd2. In order for # openldap to map the SASL user 'mikem' to the same # priveleges as the LDAP manager (and hence have # access to protected password fields etc), you would need # something like this in your OpenLDAP configuration # (typically /etc/openldap/slapd.conf): #AuthDN uid=admin,ou=Users,dc=vmbox,dc=int #AuthPassword admin # You can also control which SASL mechanisms are # acceptable for SASL authentication. SASLMechanism is # a space separated list of mechanism names supported # by Authen::SASL, such as ANONYMOUS CRAM-MD5 # DIGEST-MD5 EXTERNAL LOGIN PLAIN. # Defaults to DIGEST-MD5. If you change this you may # need to change your SASL->LDAP user mapping SASLMechanism EXTERNAL # This the top of the search tree where users # will be found. It should match the configuration # of your server, see /etc/openldap/slapd.conf BaseDN dc=vmbox, dc=int # This is the LDAP attribute to match the radius user name UsernameAttr cn # If you dont specify ServerChecksPassword, you # need to tell Radiator which attribute in the LDAP # database contains # the users correct password. It can be plaintext or encrypted PasswordAttr userPassword # This tells AuthBy LDAP2 not to check the users password, # ie that LDAP is just used to store check or reply items # and the authentication happens elsewhere # Requires latest patches to Radiator 3.11 #NoCheckPassword # On some (most?) LDAP servers, you can tell AuthBy # LDAP to keep the connection to the server up for as # long as possible, and not close it after each # authentication. This can improve performance, # especially where UseTLS or USeSSL are in # operation. Not all server can support this, so if you # enable it and things dont work right: disable it # again. HoldServerConnection # You can use CheckAttr, ReplyAttr and AuthAttrDef # to specify check and reply attributes in the LDAP # database. See the reference manual for more # information #AuthAttrDef ipaddress,Framed-IP-Address,reply # These are the classic things to add to each users # reply to allow a PPP dialup session. It may be # different for your NAS. This will add some # reply items to everyone's reply AddToReply Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.255,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Framed-Compression = Van-Jacobson-TCP-IP # You can enable debugging of the Net::LDAP # module with this, which will dump LDAP requests # sent to and from the LDAP server Debug 255 # With LDAP2 and perl-ldap 0.22 and better on Unix/Linux, You can enable SSL or TLS. # See http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html # for assistance on how to generate certificates and # configure openldap for SSL and/or TLS # To use SSL, set these #UseSSL #SSLCAClientCert C:/Program Files/Radiator/ldapcertificates/admin.pem #SSLCAClientKey C:/Program Files/Radiator/ldapcertificates/admin.pem # and one of #SSLCAFile C:/Program Files/Radiator/ldapcertificates/demoCA/cacert.pem # SSLCAPath /path/to/file/containing/certificate/of/CA # (certificates must be in PEM format) # To use TLS, set these UseTLS SSLVerify optional SSLCAClientCert C:/Radiator/ldapcertificates/admin.crt SSLCAClientKey C:/Radiator/ldapcertificates/admin.key # and one of SSLCAFile C:/Radiator/ldapcertificates/demoCA/cacert.pem #SSLCAPath C:/Program Files/Radiator/ldapcertificates/ # (certificates must be in PEM format) # These set the corresponding parameters in the # LDAPS connection (see perl-ldap docs) # Requires IO::Socket::SSL, Net::SSLeay and openssl # You can control the timout for connection failure, # plus the backoff time after failure. Timout defaults # to 10 secs and FailureBackoffTime to 10 mins #Timeout 2 # FailureBackoffTime 10 # With PostSearchHook you can do your own processing # of the LDAP data. # Arg 0 is the AuthBy LDAP object # Arg 1 is the user name being authenticated # Arg 2 is the received request packet # Arg 3 is the user object holding check and reply # items for this user # Arg 4 is the search results handle, whose type # depends on whether its LDAP, LDAP2, or LDAPSDK #PostSearchHook sub {print "PostSearchHook @_\n";\ # my $attr = $_[4]->get('someldapattr');\ # print "get attribute $attr\n";} # You can control the LDAP protocol version to be used # to talk to the LDAP server. OpenLDAP 2 requires # Version 3 unless you have 'allow bind_v2' in your # slapd.conf. Defaults to version 2 Version 3 # You can specify the maximum number of LDAP records # that match the search that will be used for # check and reply items. Only the first will be # used for ServerChecksPasssword. Defaults to 1 #MaxRecords 2 </AuthBy> </Realm> I used radpwtst for authenticating a user tina of LDAP server . C:\Perl\bin>perl radpwtst -user tina -password turner -framed_ip_address 127.0.0 .1 -nas_identifier 127.0.0.1 -nas_ip_address 127.0.0.1 I would like to check a user in LDAP server using SASL bind with admin certificate basically a external bind mechanism. My log file is throwing error Tue Apr 30 11:48:15 2013: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier '' Tue Apr 30 11:48:15 2013: DEBUG: Deleting session for tina, 127.0.0.1, 1234 Tue Apr 30 11:48:15 2013: DEBUG: Handling with Radius::AuthLDAP2: Tue Apr 30 11:48:15 2013: INFO: Connecting to localhost:389 Tue Apr 30 11:48:15 2013: DEBUG: Starting TLS Tue Apr 30 11:48:16 2013: ERR: StartTLS failed: SSL connect attempt failed with unknown errorerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Tue Apr 30 11:48:16 2013: ERR: Could not open LDAP connection to localhost:389. Backing off for 600 seconds. Tue Apr 30 11:48:16 2013: DEBUG: AuthBy LDAP2 result: IGNORE, User database access error Tue Apr 30 11:48:20 2013: DEBUG: Packet dump: *** Received from 127.0.0.1 port 50487 .... Code: Accounting-Request Identifier: 91 Authentic: <238><255><164>.<208><21>G<212>dhd<215><225>c<165><7> Attributes: User-Name = "tina" Service-Type = Framed-User NAS-IP-Address = 127.0.0.1 NAS-Identifier = "127.0.0.1" NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "00001234" Acct-Status-Type = Start Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Framed-IP-Address = 127.0.0.1 Acct-Delay-Time = 0 Tue Apr 30 11:48:20 2013: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier '' Tue Apr 30 11:48:20 2013: DEBUG: Adding session for tina, 127.0.0.1, 1234 Tue Apr 30 11:48:20 2013: DEBUG: Handling with Radius::AuthLDAP2: Tue Apr 30 11:48:20 2013: DEBUG: AuthBy LDAP2 result: ACCEPT, Tue Apr 30 11:48:20 2013: DEBUG: Accounting accepted Tue Apr 30 11:48:20 2013: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 50487 .... if I disable the TLS,then restart radiator throws SASL mechanism not supported error (-4) Let me know if I can configure the switch as mentioned above through Radiator if possible provide a specific example . waiting for your inputs. Pramod Kulkarni ABB Global Industries and Services Limited Whitefield Road Block 1 560048, Bangalore, Karnataka, INDIA Phone: +91 80 67579950 Mobile: +919663733663 email: pramod.kulka...@in.abb.com
<<image/gif>>
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator