[RADIATOR] UNS: Re: Issue with LDAP and SASL authentication

Hugh Irvine hugh at radiatorsoftware.com
Thu Apr 9 01:45:28 UTC 2026 

Hello Dubravko -

It must be your Host declaration that is causing the problem - I haven't 
seen this before "ldapi:///"

Have you tried with just the IP address?

Otherwise you could try escaping the special characters:

     Host ldapi\:\/\/\/

You could also use Radiator GlobalVar's instead.

Please let us know your results.

regards

Hugh


On 8/4/2026 17:18, Dubravko Penezic wrote:
> Hi Hugh,
>
> configuration is follow :
>
>
> Trace 4
>
> LogTraceId
> LogMicroseconds
>
> DbDir   /etc/radiator
> LogDir  /var/log/radiator
> LogFile %L/radiator-test.log
>
> AuthPort 1812
> AcctPort 1813
>
> DictionaryFile /opt/radiator/radiator/dictionary
>
> <Client 10.10.10.10>
>   Secret PeroPero
>   StatusServer off
> </Client>
>
> <Realm DEFAULT>
>
>   RewriteUsername s/^(.+)(\.hs@)(mali\.hr)$/$1/i
>
>   <AuthBy LDAP2>
>
>     Host ldapi:///
>
> #    Port
>
>     Timeout 5
>     FailureBackoffTime 60
>
>     UseSASL
>
>     SASLMechanism EXTERNAL
>
>     BaseDN %0=%1,dc=mali,dc=hr
>
>     Scope base
>
>     UsernameAttr uid
>
>     ServerChecksPassword
>     UnbindAfterServerChecksPassword
>
>     AuthenProto PAP
>
>     AuthAttrDef hrEduPersonExpireDate,Connect-Info,reply
>
>   </AuthBy>
>
> </Realm>
>
>
> Debug log output is :
>
> 00000000 Wed Apr  8 09:07:55 2026 569528: DEBUG: Radius::JSON backend 
> is Cpanel::JSON::XS version 4.39
> 00000000 Wed Apr  8 09:07:55 2026 569652: DEBUG: SCTP socket API 
> extensions not available
> 00000000 Wed Apr  8 09:07:55 2026 569705: DEBUG: Finished reading 
> configuration file '/etc/radiator/radiator-test.conf'
> 00000000 Wed Apr  8 09:07:55 2026 729564: DEBUG: Radius::JSON backend 
> is Cpanel::JSON::XS version 4.39
> 00000000 Wed Apr  8 09:07:55 2026 729669: DEBUG: SCTP socket API 
> extensions not available
> 00000000 Wed Apr  8 09:07:55 2026 729718: DEBUG: Finished reading 
> configuration file '/etc/radiator/radiator-test.conf'
> 00000000 Wed Apr  8 09:07:55 2026 729860: DEBUG: Reading RADIUS 
> dictionary file '/opt/radiator/radiator/dictionary'
> 00000000 Wed Apr  8 09:07:55 2026 797863: INFO: Using Net::SSLeay 1.94 
> with SSL/TLS library version 0x30500050 (OpenSSL 3.5.5 27 Jan 2026)
> 00000000 Wed Apr  8 09:07:55 2026 797949: DEBUG: SSL/TLS library and 
> Net::SSLeay support set_default_passwd_cb and related functions
> 00000000 Wed Apr  8 09:07:55 2026 798061: DEBUG: This system is IPv6 
> capable. IPv6 capability provided by: core
> 00000000 Wed Apr  8 09:07:55 2026 798171: WARNING: Startup check could 
> not load Radius::UtilXS or Digest::MD4. See Radiator reference manual 
> for DisabledRuntimeChecks parameter
> 00000000 Wed Apr  8 09:07:55 2026 798283: DEBUG: Creating 
> authentication socket 0.0.0.0 port 1812
> 00000000 Wed Apr  8 09:07:55 2026 798423: DEBUG: Creating accounting 
> socket 0.0.0.0 port 1813
> 00000000 Wed Apr  8 09:07:55 2026 798529: NOTICE: Server started: 
> Radiator 4.30 on pero.mali.hr
> 51c516c0 Wed Apr  8 09:08:22 2026 962489: DEBUG: Packet dump:
> 51c516c0 *** Received from 10.10.10.10 port 48750 ....
> 51c516c0 Code:       Access-Request
> 51c516c0 Identifier: 135
> 51c516c0 Authentic: 
> [<131><191><178>[<28><17><151><135><235>|)<205>W<249><189>
> 51c516c0 Attributes:
> 51c516c0     Message-Authenticator = 
> <150><131><133>zb<237><131>+y<230><178><8>x<171><158>H
> 51c516c0     User-Name = "pero at mali.hr"
> 51c516c0     User-Password = 
> ji<155><5>)<194><206><143><152><176><223>(6<148><226><134>
>
> 51c516c0 Wed Apr  8 09:08:22 2026 962720: DEBUG: Handling request with 
> Handler 'Realm=DEFAULT', Identifier ''
> 51c516c0 Wed Apr  8 09:08:22 2026 964567: DEBUG: Rewrote user name to 
> pero at mali.hr
> 51c516c0 Wed Apr  8 09:08:22 2026 964699: DEBUG: SessINTERNAL: 
> Deleting session for pero at mali.hr, 161.53.2.218,
> 51c516c0 Wed Apr  8 09:08:22 2026 964785: DEBUG: Handling with 
> Radius::AuthLDAP2:
> 00000000 Wed Apr  8 09:08:22 2026 964943: INFO: AuthLDAP2 Connecting 
> to ldapi:/// port 389
> 00000000 Wed Apr  8 09:08:22 2026 965184: ERR: AuthLDAP2 Could not 
> open LDAP connection to ldapi:/// port 389. Backing off for 60 seconds.
> 51c516c0 Wed Apr  8 09:08:22 2026 965264: DEBUG: AuthBy LDAP2 result: 
> IGNORE, User database access error
> 51c516c0 Wed Apr  8 09:08:22 2026 965349: DEBUG: Access ignored for 
> pero at mali.hr: User database access error
> 7233ee90 Wed Apr  8 09:08:27 2026 967645: DEBUG: Packet dump:
> 7233ee90 *** Received from 10.10.10.10 port 48750 ....
> 7233ee90 Code:       Access-Request
> 7233ee90 Identifier: 135
> 7233ee90 Authentic: 
> [<131><191><178>[<28><17><151><135><235>|)<205>W<249><189>
> 7233ee90 Attributes:
> 7233ee90     Message-Authenticator = 
> <150><131><133>zb<237><131>+y<230><178><8>x<171><158>H
> 7233ee90     User-Name = "pero at mali.hr"
> 7233ee90     User-Password = 
> ji<155><5>)<194><206><143><152><176><223>(6<148><226><134>
>
> 7233ee90 Wed Apr  8 09:08:27 2026 967957: INFO: Duplicate request id 
> 135 received from 161.53.2.218(48750): ignored
> ae817440 Wed Apr  8 09:08:32 2026 972748: DEBUG: Packet dump:
> ae817440 *** Received from 10.10.10.10 port 48750 ....
> ae817440 Code:       Access-Request
> ae817440 Identifier: 135
> ae817440 Authentic: 
> [<131><191><178>[<28><17><151><135><235>|)<205>W<249><189>
> ae817440 Attributes:
> ae817440     Message-Authenticator = 
> <150><131><133>zb<237><131>+y<230><178><8>x<171><158>H
> ae817440     User-Name = "pero at mali.hr"
> ae817440     User-Password = 
> ji<155><5>)<194><206><143><152><176><223>(6<148><226><134>
>
> I did small redacted action on conf and log , but only on IP address, 
> username parts.
>
> From my point of view, RADIATOR code isnt able to connect to local 
> LDAP service using SASL , dosnt meter what request contain. Bu I may 
> be wrong.
>
> Regards,
> Dubravko
>
>
> On 4/8/26 7:37 AM, Dubravko Penezic via radiator wrote:
>> Hi Hugh,
>>
>> indirectly you give very good advice :) ... try with clean 
>> configuration .
>>
>> I have relatively complex configuration across multiple files and 
>> some Perl codes, so it is somehow hard to do proper redact. However 
>> it is very easy for me to create simple  clean example for test.
>>
>> I will do that today and send findings and configuration.
>>
>> Regards,
>> Dubravko
>>
>> On 4/8/26 2:01 AM, Hugh Irvine wrote:
>>>
>>> Hello Dubravko -
>>>
>>> Could you please send us a redacted copy of the configuration file?
>>>
>>> I've not seen a connection string like the one you show below?
>>>
>>> thanks
>>>
>>> Hugh
>>>
>>>
>>> On 7/4/2026 23:48, Dubravko Penezic via radiator wrote:
>>>> Hi,
>>>>
>>>> few days ago we change from Debian 12 to Debian 13 , and working 
>>>> configuration of RADIATOR 4.30-1 stop working on part that connect 
>>>> to LDAP (OpenLDAP) service on same server.
>>>>
>>>> Error is as following :
>>>>
>>>> 00b6e9f0 Tue Apr  7 15:38:58 2026 533634: DEBUG: Handling with 
>>>> Radius::AuthLDAP2:
>>>> 00000000 Tue Apr  7 15:38:58 2026 533789: INFO: AuthLDAP2 
>>>> Connecting to ldapi:/// port 389
>>>> 00000000 Tue Apr  7 15:38:58 2026 534044: ERR: AuthLDAP2 Could not 
>>>> open LDAP connection to ldapi:/// port 389. Backing off for 60 
>>>> seconds.
>>>>
>>>> I did check slapd configuration end check ldapi:/// EXTERNAL 
>>>> authentication from command line, and impersonate like radiator 
>>>> user everything work correctly , "only" RADIATOR is not able to 
>>>> connect.
>>>>
>>>> Any idea ? or debugging options ?
>>>>
>>>> Regards,
>>>>
>>>> Dubravko Penezic
>>>>
>>>> Srce
>>>>
>>>>
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at lists.open.com.au
>>>> https://lists.open.com.au/mailman/listinfo/radiator
>>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at lists.open.com.au
>> https://lists.open.com.au/mailman/listinfo/radiator
>

More information about the radiator mailing list