[RADIATOR] UNS: Re: Issue with LDAP and SASL authentication

Dubravko Penezic dpenezic at srce.hr
Wed Apr 8 07:18:31 UTC 2026 

Hi Hugh,

configuration is follow :


Trace 4

LogTraceId
LogMicroseconds

DbDir   /etc/radiator
LogDir  /var/log/radiator
LogFile %L/radiator-test.log

AuthPort 1812
AcctPort 1813

DictionaryFile /opt/radiator/radiator/dictionary

<Client 10.10.10.10>
   Secret PeroPero
   StatusServer off
</Client>

<Realm DEFAULT>

   RewriteUsername s/^(.+)(\.hs@)(mali\.hr)$/$1/i

   <AuthBy LDAP2>

     Host ldapi:///

#    Port

     Timeout 5
     FailureBackoffTime 60

     UseSASL

     SASLMechanism EXTERNAL

     BaseDN %0=%1,dc=mali,dc=hr

     Scope base

     UsernameAttr uid

     ServerChecksPassword
     UnbindAfterServerChecksPassword

     AuthenProto PAP

     AuthAttrDef hrEduPersonExpireDate,Connect-Info,reply

   </AuthBy>

</Realm>


Debug log output is :

00000000 Wed Apr  8 09:07:55 2026 569528: DEBUG: Radius::JSON backend is 
Cpanel::JSON::XS version 4.39
00000000 Wed Apr  8 09:07:55 2026 569652: DEBUG: SCTP socket API 
extensions not available
00000000 Wed Apr  8 09:07:55 2026 569705: DEBUG: Finished reading 
configuration file '/etc/radiator/radiator-test.conf'
00000000 Wed Apr  8 09:07:55 2026 729564: DEBUG: Radius::JSON backend is 
Cpanel::JSON::XS version 4.39
00000000 Wed Apr  8 09:07:55 2026 729669: DEBUG: SCTP socket API 
extensions not available
00000000 Wed Apr  8 09:07:55 2026 729718: DEBUG: Finished reading 
configuration file '/etc/radiator/radiator-test.conf'
00000000 Wed Apr  8 09:07:55 2026 729860: DEBUG: Reading RADIUS 
dictionary file '/opt/radiator/radiator/dictionary'
00000000 Wed Apr  8 09:07:55 2026 797863: INFO: Using Net::SSLeay 1.94 
with SSL/TLS library version 0x30500050 (OpenSSL 3.5.5 27 Jan 2026)
00000000 Wed Apr  8 09:07:55 2026 797949: DEBUG: SSL/TLS library and 
Net::SSLeay support set_default_passwd_cb and related functions
00000000 Wed Apr  8 09:07:55 2026 798061: DEBUG: This system is IPv6 
capable. IPv6 capability provided by: core
00000000 Wed Apr  8 09:07:55 2026 798171: WARNING: Startup check could 
not load Radius::UtilXS or Digest::MD4. See Radiator reference manual 
for DisabledRuntimeChecks parameter
00000000 Wed Apr  8 09:07:55 2026 798283: DEBUG: Creating authentication 
socket 0.0.0.0 port 1812
00000000 Wed Apr  8 09:07:55 2026 798423: DEBUG: Creating accounting 
socket 0.0.0.0 port 1813
00000000 Wed Apr  8 09:07:55 2026 798529: NOTICE: Server started: 
Radiator 4.30 on pero.mali.hr
51c516c0 Wed Apr  8 09:08:22 2026 962489: DEBUG: Packet dump:
51c516c0 *** Received from 10.10.10.10 port 48750 ....
51c516c0 Code:       Access-Request
51c516c0 Identifier: 135
51c516c0 Authentic: 
[<131><191><178>[<28><17><151><135><235>|)<205>W<249><189>
51c516c0 Attributes:
51c516c0 	Message-Authenticator = 
<150><131><133>zb<237><131>+y<230><178><8>x<171><158>H
51c516c0 	User-Name = "pero at mali.hr"
51c516c0 	User-Password = 
ji<155><5>)<194><206><143><152><176><223>(6<148><226><134>

51c516c0 Wed Apr  8 09:08:22 2026 962720: DEBUG: Handling request with 
Handler 'Realm=DEFAULT', Identifier ''
51c516c0 Wed Apr  8 09:08:22 2026 964567: DEBUG: Rewrote user name to 
pero at mali.hr
51c516c0 Wed Apr  8 09:08:22 2026 964699: DEBUG: SessINTERNAL: Deleting 
session for pero at mali.hr, 161.53.2.218,
51c516c0 Wed Apr  8 09:08:22 2026 964785: DEBUG: Handling with 
Radius::AuthLDAP2:
00000000 Wed Apr  8 09:08:22 2026 964943: INFO: AuthLDAP2 Connecting to 
ldapi:/// port 389
00000000 Wed Apr  8 09:08:22 2026 965184: ERR: AuthLDAP2 Could not open 
LDAP connection to ldapi:/// port 389. Backing off for 60 seconds.
51c516c0 Wed Apr  8 09:08:22 2026 965264: DEBUG: AuthBy LDAP2 result: 
IGNORE, User database access error
51c516c0 Wed Apr  8 09:08:22 2026 965349: DEBUG: Access ignored for 
pero at mali.hr: User database access error
7233ee90 Wed Apr  8 09:08:27 2026 967645: DEBUG: Packet dump:
7233ee90 *** Received from 10.10.10.10 port 48750 ....
7233ee90 Code:       Access-Request
7233ee90 Identifier: 135
7233ee90 Authentic: 
[<131><191><178>[<28><17><151><135><235>|)<205>W<249><189>
7233ee90 Attributes:
7233ee90 	Message-Authenticator = 
<150><131><133>zb<237><131>+y<230><178><8>x<171><158>H
7233ee90 	User-Name = "pero at mali.hr"
7233ee90 	User-Password = 
ji<155><5>)<194><206><143><152><176><223>(6<148><226><134>

7233ee90 Wed Apr  8 09:08:27 2026 967957: INFO: Duplicate request id 135 
received from 161.53.2.218(48750): ignored
ae817440 Wed Apr  8 09:08:32 2026 972748: DEBUG: Packet dump:
ae817440 *** Received from 10.10.10.10 port 48750 ....
ae817440 Code:       Access-Request
ae817440 Identifier: 135
ae817440 Authentic: 
[<131><191><178>[<28><17><151><135><235>|)<205>W<249><189>
ae817440 Attributes:
ae817440 	Message-Authenticator = 
<150><131><133>zb<237><131>+y<230><178><8>x<171><158>H
ae817440 	User-Name = "pero at mali.hr"
ae817440 	User-Password = 
ji<155><5>)<194><206><143><152><176><223>(6<148><226><134>

I did small redacted action on conf and log , but only on IP address, 
username parts.

 From my point of view, RADIATOR code isnt able to connect to local LDAP 
service using SASL , dosnt meter what request contain. Bu I may be wrong.

Regards,
Dubravko


On 4/8/26 7:37 AM, Dubravko Penezic via radiator wrote:
> Hi Hugh,
> 
> indirectly you give very good advice :) ... try with clean configuration .
> 
> I have relatively complex configuration across multiple files and some 
> Perl codes, so it is somehow hard to do proper redact. However it is 
> very easy for me to create simple  clean example for test.
> 
> I will do that today and send findings and configuration.
> 
> Regards,
> Dubravko
> 
> On 4/8/26 2:01 AM, Hugh Irvine wrote:
>>
>> Hello Dubravko -
>>
>> Could you please send us a redacted copy of the configuration file?
>>
>> I've not seen a connection string like the one you show below?
>>
>> thanks
>>
>> Hugh
>>
>>
>> On 7/4/2026 23:48, Dubravko Penezic via radiator wrote:
>>> Hi,
>>>
>>> few days ago we change from Debian 12 to Debian 13 , and working 
>>> configuration of RADIATOR 4.30-1 stop working on part that connect to 
>>> LDAP (OpenLDAP) service on same server.
>>>
>>> Error is as following :
>>>
>>> 00b6e9f0 Tue Apr  7 15:38:58 2026 533634: DEBUG: Handling with 
>>> Radius::AuthLDAP2:
>>> 00000000 Tue Apr  7 15:38:58 2026 533789: INFO: AuthLDAP2 Connecting 
>>> to ldapi:/// port 389
>>> 00000000 Tue Apr  7 15:38:58 2026 534044: ERR: AuthLDAP2 Could not 
>>> open LDAP connection to ldapi:/// port 389. Backing off for 60 seconds.
>>>
>>> I did check slapd configuration end check ldapi:/// EXTERNAL 
>>> authentication from command line, and impersonate like radiator user 
>>> everything work correctly , "only" RADIATOR is not able to connect.
>>>
>>> Any idea ? or debugging options ?
>>>
>>> Regards,
>>>
>>> Dubravko Penezic
>>>
>>> Srce
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at lists.open.com.au
>>> https://lists.open.com.au/mailman/listinfo/radiator
>>
> 
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator

More information about the radiator mailing list