(RADIATOR) LDAP questions

Ben Carter bencarter at businessserve.co.uk
Sat Dec 22 17:48:49 CST 2001


Hi all,

I was wondering if anyone could help me out with the following:

1) I have "HoldServerConnection" in my <AuthBy LDAP2> clauses but radiator
still seems to re-connect each time to LDAP. The LDAP server I am using is
iplanets (formerly Netscape) and handles multiple searches in a single
connection with no problem.

2) We have a bunch of dialup ports with another provider to give us
unmetered connections for customers of that telco. Most of these users need
to be authenticated using only their Calling-Station-ID (i.e. they DO NOT
have a username and password). We also have a few people who have a username
and password as a way of bypassing the Calling-Station-ID check. My problem
is Radiator expects passwordattr to be defined and insists on checking the
username and password with those in ldap and if they don't match it rejects
them. Obviously in an environment were we are using the calling-station-id
to authenticate the user this is always going to fail as they don't supply a
username and password!! We have got around this problem in a very dirty way
by using a PostSearchHook to fool radiator into thinking this is an EAP
request (my config file is below). Is there a better way to do this or can
the mandatory checking of username and password be removed from radiator?
(you also get an LDAP error every time the user has no password and it can't
find the passwordattr in LDAP) 

Also, from the config file below, it shows that we check to see if the
username and password (the override Calling-Station-ID users) is valid
BEFORE we check Calling-Station-ID. As our customers are split approx 98%
calling-station-id authenticated versus 2% user/pass authenticated this is
very inefficient resulting in 2 LDAP queries for 98% of users, if we could
have it the other way around it would be only 1 search for the 98% and 2
searches for the 2%.

Sorry for the LONG email, but any help is appreciated.

Best Regards, Merry Christmas and a Happy New Year,

Ben.

BTW the default directories on Solaris are /usr/local.... (i.e.
/usr/local/bin/perl) - everything in radiator defaults to /usr/bin - maybe
something for the Makefile.pl to check?

----------radius.cfg---------------
#Foreground
#LogStdout
LogDir          /var/radius/log
DbDir           /var/radius/db
Trace           4
<Client <removed>>
        Secret <removed>
        Identifier BT-FRIACO-Radius
</Client>

<Client <removed>>
        Secret <removed>
        Identifier BT-FRIACO-Radius
</CLient>

<Client <removed>>
        Secret <removed>
        Identifier CVX1
</CLient>       

<Client localhost>
        Secret <removed>
        DupInterval 0
        Identifier BT-FRIACO-Radius
</Client>

<Client DEFAULT>
        Secret <removed>
        Identifier BT-FRIACO-Radius
        DupInterval 0
</Client>

<SessionDatabase DBM>
</SessionDatabase>

<Handler Client-Identifier = BT-FRIACO-Radius>

<AuthBy GROUP>
        AuthByPolicy ContinueUntilAccept

        <AuthBy LDAP2>
#                Debug           255
                NoDefault
                HoldServerConnection
                Host            10.7.9.13
                AuthDN          cn=directory manager
                AuthPassword    <removed>
                BaseDN          ou=customers, ou=people, dc=bsve.net,
o=internet
                AuthAttrDef     FRIACO-todr, Time, check
                UsernameAttr    friacousername
                PasswordAttr    friacopassword
                SearchFilter
(&(%0=%1)(objectClass=FRIACOuser)(!(suspended=yes)))
                AddToReply Service-Type = Framed-User, \
                        Framed-Protocol = PPP, \
                        Framed-IP-Address = 255.255.255.254, \
                        Framed-IP-Netmask = 255.255.255.255, \
                        Framed-Routing = None, \
                        Framed-Compression = Van-Jacobsen-TCP-IP, \
                        Framed-MTU = 1500, \
                        Session-Timeout = "until Time"
        </AuthBy>

        <AuthBy LDAP2>
#               Debug           255
                NoDefault
                HoldServerConnection
                Host            10.7.9.13
                AuthDN          cn=directory manager
                AuthPassword    <removed>
                BaseDN          ou=customers, ou=people, dc=bsve.net,
o=internet
                #UsernameAttr    uid
                PasswordAttr    friacopassword
                AuthAttrDef     FRIACO-todr, Time, check
                SearchFilter
(&(objectclass=friacouser)(csid=0%{Calling-Station-Id})(!(suspended=yes)))
                PostSearchHook sub {
$_[2]->addAttrByNum($Radius::Radius::EAP_MESSAGE,1); }
                AddToReply Service-Type = Framed-User, \
                        Framed-Protocol = PPP, \
                        Framed-IP-Address = 255.255.255.254, \
                        Framed-IP-Netmask = 255.255.255.255, \
                        Framed-Routing = None, \
                        Framed-Compression = Van-Jacobsen-TCP-IP, \
                        Framed-MTU = 1500, \
                        Session-Timeout = "until Time"
        </AuthBy>
</AuthBy>
PostAuthHook sub { (${$_[1]}->get_attr('Session-Timeout') > 7200) &&
${$_[1]}->change_attr('Session-Timeout',7200); }
AcctLogFileName ./acct-detail
</Handler>
-END------radius.cfg-----------END-
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list