Re: (RADIATOR) Trouble with SessionDatabase SQL
Hugh Irvine wrote: > Salut Fred - > > Comment va la vie? Je suis desole qu'on s'est pas vu lors de ma derniere > visite a Paris - mais peut-etre la prochaine fois? > J'espere bien ! Depuis le temps... > > On Thursday 22 March 2001 04:50, Frederic Gargula wrote: > >> Hi all, >> >> >> I write again to this list to report a strange behavior : >> >> I want to limit simultaneous logins : Each user can be logged on once at >> a time. >> >> [In the bottom, you can find interesting parts of my config file.] >> > I agree with you - it looks quite strange. Could you tell me what version of > Radiator you are running? And could you also try to remove the AuthByPolicy > from the Handler? As you only have a single AuthBy you shouldn't need the > AuthByPolicy anyway. Oh, Sorry. I'm using Radiator 2.17.1 ;) I've removed the AuthByPolicy that is useless as you said. (I've put it because I hoped Radiator will not send an Access-Accept after the Acces-Reject generated by the MaxSessions Exceeded state) without the authByPolicy Clause, the result is the same : two answers (An Access-Reject due to MaxSessions, and then an Access-Accept due to the correct LDAP lookup). I will be very glad if I could find the way to have only one answer... Regards, -- Frederic Gargula Systems Design Engineer Easynet France === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Trouble with SessionDatabase SQL
x AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE, Acct-Status-Type AcctColumnDef ACCTDELAYTIME, Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS, Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS, Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID, Acct-Session-Id AcctColumnDef ACCTSESSIONTIME, Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE, Acct_Terminate-Cause,integer AcctColumnDef NASIDENTIFIER, NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS, Framed-IP-Address AcctColumnDef CALLERID,Caller-Id RewriteUsername s/^([^@]+)$/$1\@easynet.fr/ RejectHasReason SessionDatabase SDB1 AuthByPolicy ContinueUntilReject MaxSessions 1 AuthBy Auth_ldap_dialup RewriteUsername s/^([^@]+)$/$1\@easynet.fr/ AuthByPolicy ContinueAlways AuthBy Accounting1 DBSource dbi:mysql:x:x DBUsername x DBAuth x Identifier SDB1 -- Frederic Gargula Systems Design Engineer Easynet France === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) LDAP with MIMEBASE64 and MD5 trouble
Hi all,
I'm testing authentication with Radiator 2.17.1 on OpenLDAP 1.2.11 (each
on a separate sever, both on a private testing network), and I have
trouble with MD5 encryption.
On the LDAP server, passwords are stored in the form :
{MD5}ZviHb9U7k5r2YaTNG6QuTA== [this format is known as MD5 with MIME]
Following the documentation, and particulary the sections 13.1.1 and
13.1.2, Radiator supports this encrypted format for both 'User-Password'
and 'Encrypted-Password' check items.
I've tried both, and I have :
-using 'User-Password' :
>
> Tue Feb 6 10:19:12 2001: DEBUG: Handling with Radius::AuthLDAP2
> Tue Feb 6 10:19:12 2001: DEBUG: Connecting to 192.168.100.10, port 389
> Tue Feb 6 10:19:12 2001: DEBUG: LDAP got result for
> [EMAIL PROTECTED],ou=users,domain=easynet.fr,vip=easynet-fr,o=easynet.net
> Tue Feb 6 10:19:12 2001: DEBUG: LDAP got userpassword: {MD5}ZviHb9U7k5r2YaTNG6QuTA==
> Tue Feb 6 10:19:12 2001: DEBUG: LDAP got idletime: 0
> Tue Feb 6 10:19:12 2001: DEBUG: LDAP got ippool: 1
> Tue Feb 6 10:19:12 2001: DEBUG: LDAP got ipnetmask: 255.255.255.255
> Tue Feb 6 10:19:12 2001: DEBUG: LDAP got iproutemetric: 2
> Tue Feb 6 10:19:12 2001: DEBUG: Radius::AuthLDAP2 looks for match with
>[EMAIL PROTECTED]
> Tue Feb 6 10:19:12 2001: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
-using 'Encrypted-Password' :
> Tue Feb 6 10:50:25 2001: DEBUG: Handling with Radius::AuthLDAP2
> Tue Feb 6 10:50:25 2001: DEBUG: Connecting to 192.168.100.10, port 389
> Tue Feb 6 10:50:25 2001: DEBUG: LDAP got result for
> [EMAIL PROTECTED],ou=users,domain=easynet.fr,vip=easynet-fr,o=easynet.net
> Tue Feb 6 10:50:25 2001: DEBUG: LDAP got userpassword:{MD5}ZviHb9U7k5r2YaTNG6QuTA==
> Tue Feb 6 10:50:25 2001: DEBUG: LDAP got idletime: 0
> Tue Feb 6 10:50:25 2001: DEBUG: LDAP got ippool: 1
> Tue Feb 6 10:50:25 2001: DEBUG: LDAP got ipnetmask: 255.255.255.255
> Tue Feb 6 10:50:25 2001: DEBUG: LDAP got iproutemetric: 2
> Tue Feb 6 10:50:25 2001: DEBUG: Radius::AuthLDAP2 looks for match with
> [EMAIL PROTECTED]
> Tue Feb 6 10:50:25 2001: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password
I'm sure of my password, and I don't understand why Radiator still
rejects my requests.
I've seen many past posts in this mailing list, and I remember Robin
Gruyters's one, on Jun 13 2000 :
> hi,
>
> Because we use in our LDAP for password md5 with MIME64
> (userpassword={MD5}qP0OV/oViFka8YbFMWEWeg==)
> We had to make some changes in the Radius.pm file. Here is a patch:
>
> --- Radius.pm Tue Jun 13 10:25:10 2000
> +++ Radiusmd5.pmTue Jun 13 10:26:12 2000
> @@ -708,6 +708,18 @@
> # via Apache::AuthenRadius or similar
> $result = &check_digest_password($user, $submitted_pw,
> $pw);
> }
> +elsif ($pw =~ /^{MD5}/)
> +{
> +require MIME::Base64;
> +require Digest::MD5;
> +my $context = new MD5;
> +$context->reset();
> +$context->add("$submitted_pw");
> +
> +my $tmppw = "{MD5}" .
> MIME::Base64::encode_base64($context->digest());
> +chomp($tmppw);
> +$result = ($tmppw eq $pw);
> +}
> else
> {
> # Just ordinary old plaintext, look for an exact match
>
I don't understand why he has to patch Radius.pm, because following the
Class Hierarchy on section 17.5, the AuthLDAP2 inherits from
AuthGeneric.
Nowhere else the {MD5} encryption appears :
morrison:/usr/local/src/Radiator-2.17.1/Radius$ grep "{MD5}" *
AuthGeneric.pm:elsif ($pw =~ /^{MD5}/)
AuthGeneric.pm: $cmp_pass = '{MD5}' .
MIME::Base64::encode_base64($md5->digest());
AuthGeneric.pm: $cmp_pass = "{MD5}" . $md5->hexdigest();
I've put my config file in attachment.
Is the inheritance working ?
Does anyone have any idea for my trouble ?
--
Frederic Gargula
Systems Designer
Easynet France
radius.cfg_ldap
(RADIATOR) Authentication trouble
Hi,
I have a trouble on my radiator proxy servers. Sometimes, an
accept-request that sould invoke an Access-Reject receives an
Access-Accept instead.
I have noticed that when a fake Access-Accept is received, it's the same
reply that few times ago. The two request/replies uses the same
Identifier and Authenticator..
The two Access-Accept are exactly the same :
Let's see an example :
> Tue Feb 15 10:25:28 2000: DEBUG: Packet dump:
> *** Sending to 195.114.64.Y port 1645
> Code: Access-Request
> Identifier: 55
> Authentic: <29><18>y<165>|<140>Azb<7>=++<250>U<136>
> Attributes:
> Proxy-Action = "AUTHENTICATE"
> NAS-Identifier = "xxx"
> NAS-IP-Address = 192.168.xxx.xxx
> User-Name = "[EMAIL PROTECTED]"
> CHAP-Password = ""
> Called-Station-Id = ""
> Acct-Session-Id = "3e8d38a91b76e32c6047"
> NAS-Port-Type = Async
> NAS-Port = 20109
> User-Id = "hdantin"
> CHAP-Challenge = ""
> User-Realm = "easynet.fr"
> Service-Type = Framed-User
> Tunnel-Type = L2F
> Tunnel-Medium-Type = IP
> Proxy-State = 0
> Vendor-Specific = "Siris"
> Tue Feb 15 10:25:28 2000: DEBUG: Packet dump:
> *** Received from 195.114.64.Y port 1645
> Code: Access-Accept
> Identifier: 55
> Authentic: s<4>l1><194><177><146>{<136>*<143>'7<237><240>
> Attributes:
> Service-Type = Framed-User
> Ascend-Idle-Limit = 0
> Maximum-Time = 1
> Framed-IP-Netmask = 255.255.255.255
> Ascend-Metric = 2
> Framed-Routing = None
> Framed-Protocol = PPP
> Reply-Message = "EASYSTART"
Ok, a dialup user was accepted.
7 seconds later in the logfile, I found :
> *** Sending to 195.114.64.Y port 1645
> Code: Access-Request
> Identifier: 55
> Authentic: ]}<185>~<210><230><26><12><163>s42<160><22><163>.
> Attributes:
> User-Name = "totocom-user"
> Service-Type = Without-Password
> NAS-IP-Address = 195.114.64.Z
> NAS-Port = 0
> Vendor-Specific = "Mail"
>
> Tue Feb 15 10:25:35 2000: DEBUG: Packet dump:
> *** Received from 195.114.64.Y port 1645
> Code: Access-Accept
> Identifier: 55
> Authentic: s<4>l1><194><177><146>{<136>*<143>'7<237><240>
> Attributes:
> Service-Type = Framed-User
> Ascend-Idle-Limit = 0
> Maximum-Time = 1
> Framed-IP-Netmask = 255.255.255.255
> Ascend-Metric = 2
> Framed-Routing = None
> Framed-Protocol = PPP
> Reply-Message = "EASYSTART"
>
> Tue Feb 15 10:25:35 2000: DEBUG: Received reply in AuthRADIUS for req 55 from 19
> 5.114.64.Y:1645
> Tue Feb 15 10:25:35 2000: WARNING: Bad authenticator received in reply to ID 55
And 195.114.64.Y never replied such an Access-Accept. The user
"totocom-user" doesn't exist in the database on 195.114.64.Y (this
server uses a patched Livingston Radius, and the users database is a
flat file hierarchy and a old password file.
I'm sure that 195.114.64.Y didn't send an Access-Accept for
"totocom-user".
I'm now trying to use DupInterval, to refuse a second Access-Accept with
the same Identifier, but I don't know if this is really the solution.
Does anyone have any idea about my problem ?
Thanks a lot for help.
Regards,
--
Frederic GARGULA
Ingenieur Reseaux & Systemes
EASYNET France
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) without password authentication trouble
hi, I want to be able to test that a user exists in an MSSQL 7 database, but I don't want to check his password. In fact that authentication is made by a qmail mail server that wants to know if a user exist or not (simply to know if the mailbox exist, to deliver an incoming mail) I have wrote an Handler : RewriteUsername s/^([^@]+).*/$1/ DBSource dbi:ODBC:domain1 DBUsername username DBAuth password AuthSelect select * from T_LOGIN where LOGIN='%n' and LOGINTYPE=0 AuthColumnDef 0, User-Name, check # AuthColumnDef 1, Service-Type, reply when I want to check if my handler works, I use an home-made program to simulate an incoming mail : Code: Access-Request Identifier: 200 Authentic: !9<183><30>F<145><241>w<7>_BN4<200><160>Q Attributes: User-Name = "[EMAIL PROTECTED]" Service-Type = Without-Password NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 0 and Radiator says : Fri Dec 3 19:03:42 1999: DEBUG: Handling request with Handler 'Realm=domain1. com,Service-Type=Without-Password' Fri Dec 3 19:03:42 1999: DEBUG: Rewrote user name to toto11 Fri Dec 3 19:03:42 1999: DEBUG: Deleting session for [EMAIL PROTECTED], xxx. xxx.xxx.xxx, 0 Fri Dec 3 19:03:42 1999: DEBUG: Handling with Radius::AuthSQL Fri Dec 3 19:03:43 1999: DEBUG: Handling with Radius::AuthSQL Fri Dec 3 19:03:43 1999: DEBUG: Query is: select * from T_LOGIN where LOGIN='to to11' and LOGINTYPE=0 Fri Dec 3 19:03:43 1999: ERR: Bad attribute=value pair: toto11 Fri Dec 3 19:03:43 1999: ERR: Bad attribute=value pair: toto9 Fri Dec 3 19:03:43 1999: DEBUG: Radius::AuthSQL looks for match with toto11 Fri Dec 3 19:03:43 1999: WARNING: No CHAP-Password or User-Password in request: does your dictionary have User-Password in it? Fri Dec 3 19:03:43 1999: DEBUG: Radius::AuthSQL REJECT: Bad Password Fri Dec 3 19:03:43 1999: DEBUG: Query is: select * from T_LOGIN where LOGIN='DE FAULT' and LOGINTYPE=0 Fri Dec 3 19:03:43 1999: INFO: Access rejected for toto11: Bad Password Fri Dec 3 19:03:43 1999: DEBUG: Packet dump: *** Sending to xxx.xxx.xxx.xxx port 1993 Code: Access-Reject Identifier: 200 Authentic: !9<183><30>F<145><241>w<7>_BN4<200><160>Q Attributes: Reply-Message = "Request Denied" I don't want to check the password, but I want to know if there such a user in the database... Do you have any ideas ? Thank you for help... Best Regards, -- Frederic GARGULA Ingenieur Reseaux & Systemes EASYNET France === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) ODBC drivers for linux
Mike McCauley wrote: > > Hi Kevin > > On Jun 3, 4:41pm, Kevin Wormington wrote: > > Subject: Re: (RADIATOR) ODBC drivers for linux > > The only success that I have had is with DBI and DBD::FreeTDS which works > > very well connection to MS SQL 6.5 and 7.0 and requires no other client > > libraries. > I have installed Openlink's multi-tier ODBC drivers and DBD::ODBC, which works fine with MS SQL 7. -- Frederic GARGULA Ingenieur Reseaux & Systemes EASYNET France Tel.: +33 1 44 54 70 55 === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
