[RADIATOR] "Bad password" error in logs

Christian Kratzer ck-lists at cksoft.de
Tue Aug 1 09:59:03 UTC 2017 

H Arya,


On Tue, 1 Aug 2017, Arya, Manish Kumar wrote:

> # Infinera
> <AuthBy LDAP2>
>         NoDefault
>         Identifier      infi_user_auth
>         Host            xxxx
>         Port            xxxx
>         Timeout         60
>         AuthDN          xxxx
>         AuthPassword    xxxxx
>         BaseDN          xxxxxx
>         Scope           subtree
>         SearchFilter    (&(access-device-type=infinera)(raduser=%1))
>         UsernameAttr    raduser
>         PasswordAttr    radpass
>         ServerChecksPassword
>         AuthAttrDef     radpass,User-Password,check
>         AuthAttrDef     my-Infinera-User-Priv-SA,Infinera-User-Priv-SA,reply
>         AuthAttrDef     my-Infinera-User-Priv-NE,Infinera-User-Priv-NE,reply
>         AuthAttrDef     my-Infinera-User-Priv-NA,Infinera-User-Priv-NA,reply
>         AuthAttrDef     my-Infinera-User-Priv-PR,Infinera-User-Priv-PR,reply
>         AuthAttrDef     my-Infinera-User-Priv-TT,Infinera-User-Priv-TT,reply
>         AddToReplyIfNotExist    Service-Type=Login-User
> </AuthBy>


> Tue Aug  1 11:56:38 2017: DEBUG: Handling request with Handler '', Identifier ''
> Tue Aug  1 11:56:38 2017: DEBUG:  Deleting session for infiuser2, 10.91.142.96,
> Tue Aug  1 11:56:38 2017: DEBUG: Handling with Radius::AuthLDAP2: infi_user_auth
> Tue Aug  1 11:56:38 2017: INFO: Connecting to 10.91.118.24:389
> Tue Aug  1 11:56:38 2017: INFO: Attempting to bind to LDAP server 10.91.118.24:389
> Tue Aug  1 11:56:38 2017: DEBUG: LDAP got result for uid=infiuser2,ou=people,o=,ou=customers,dc=xxx,dc=net
> Tue Aug  1 11:56:38 2017: DEBUG: LDAP got radpass: abcd1234
> Tue Aug  1 11:56:38 2017: DEBUG: LDAP got my-Infinera-User-Priv-SA: SA-PRIVILEGED
> Tue Aug  1 11:56:38 2017: DEBUG: LDAP got my-Infinera-User-Priv-NE: NE-PRIVILEGED
> Tue Aug  1 11:56:38 2017: DEBUG: LDAP got my-Infinera-User-Priv-NA: NA-PRIVILEGED
> Tue Aug  1 11:56:38 2017: DEBUG: LDAP got my-Infinera-User-Priv-PR: PR-PRIVILEGED
> Tue Aug  1 11:56:38 2017: DEBUG: LDAP got my-Infinera-User-Priv-TT: TT-PRIVILEGED
> Tue Aug  1 11:56:38 2017: DEBUG: Radius::AuthLDAP2 looks for match with infiuser2 [infiuser2]
> Tue Aug  1 11:56:38 2017: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password: infiuser2 [infiuser2]
> Tue Aug  1 11:56:38 2017: DEBUG: AuthBy LDAP2 result: REJECT, Bad Password
> Tue Aug  1 11:56:38 2017: INFO: Access rejected for infiuser2: Bad Password
> Tue Aug  1 11:56:38 2017: DEBUG: Packet dump:


you are using ServerChecksPassword in above config which means radiator does not compare the password itself but tries to bind the ldap server with the user credentials.

In your case it is hihgly propable that the ldap server does not allow "uid=infiuser2,ou=people,o=,ou=customers,dc=xxx,dc=net" to bind to your ldap which is what above logs are trying to tell you.

Just remove the ServerChecksPassword from the AuthBy LDAP2 and it should work.

Greetings
Christian

-- 
Christian Kratzer                   CK Software GmbH
Email:   ck at cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/

More information about the radiator mailing list