(RADIATOR) Help with LDAP auth

Elias akelias at tm.net.my
Tue Sep 18 22:04:03 CDT 2001


Hi Hugh,

I'm experimenting with LDAP for authentication and seem to be stuck. I'm totally new to LDAP and hence am not sure if the problem's with LDAP or my Radiator config. The authentication seems to work if I supply the additional parameter ServerChecksPassword. If I omit this, Radiator will return a "No such user" message all the time. I've included a sample of my config and also the usual trace 4 output.  BTW, I don't know if this is important or not, the password is stored as either userpassword: {SHA}xxxxxxxx or userpassword: {crypt}xxxxxxxxx. The password differs depending on when the user was created. Thanks !



------------------ ldap config ---------------------

<Handler Realm=ldap>
        RejectHasReason
        RewriteUsername s/^([^@]+).*/$1/

         <AuthBy LDAP2>
                Host            ldaptest
                BaseDN       %0=%1,ou=People,o=tm.net.my,o=isp
                
                # This is the attribute to match the radius user name
                UsernameAttr    uid
                PasswordAttr    userpassword
                #ServerChecksPassword

                AddToReply Framed-Protocol = PPP,\
                        Framed-IP-Netmask = 255.255.255.255,\
                        Framed-Routing = None,\
                        Framed-MTU = 1500,\
                        Framed-Compression = Van-Jacobson-TCP-IP
        </AuthBy>
</Handler>

---------------- trace 4 output (without the ServerChecksPassword option) ----------------
Wed Sep 19 10:28:57 2001: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 60377 ....
Code:       Access-Request
Identifier: 206
Authentic:  1234567890123456
Attributes:
        User-Name = "anuar at ldap"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = "<152><233><<156><157>o<4><246><188>8<9><160><216>}x<153>"

Wed Sep 19 10:28:57 2001: DEBUG: Check if Handler Realm=tm.net.my should be used to handle this request
Wed Sep 19 10:28:57 2001: DEBUG: Check if Handler Realm=sql should be used to handle this request
Wed Sep 19 10:28:57 2001: DEBUG: Check if Handler Realm=ldap should be used to handle this request
Wed Sep 19 10:28:57 2001: DEBUG: Handling request with Handler 'Realm=ldap'
Wed Sep 19 10:28:57 2001: DEBUG: Rewrote user name to anuar
Wed Sep 19 10:28:57 2001: DEBUG:  Deleting session for anuar at ldap, 203.63.154.1, 1234
Wed Sep 19 10:28:57 2001: DEBUG: Handling with Radius::AuthLDAP2
Wed Sep 19 10:28:57 2001: DEBUG: Connecting to ldaptest, port 389
Wed Sep 19 10:28:57 2001: DEBUG: Attempting to bind with , 
Wed Sep 19 10:28:57 2001: DEBUG: No entries for anuar found in LDAP database
Wed Sep 19 10:28:57 2001: DEBUG: Radius::AuthLDAP2 looks for match with anuar
Wed Sep 19 10:28:57 2001: DEBUG: Connecting to ldaptest, port 389
Wed Sep 19 10:28:57 2001: DEBUG: Attempting to bind with , 
Wed Sep 19 10:28:57 2001: ERR: ldap search failed with error LDAP_NO_SUCH_OBJECT.
Wed Sep 19 10:28:57 2001: INFO: Access rejected for anuar: No such user
Wed Sep 19 10:28:57 2001: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 60377 ....
Code:       Access-Reject
Identifier: 206
Authentic:  1234567890123456
Attributes:
        Reply-Message = "No such user"


-------------------- trace 4 output (with the ServerChecksPassword option) ---------------------

Wed Sep 19 10:32:06 2001: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 60398 ....
Code:       Access-Request
Identifier: 141
Authentic:  1234567890123456
Attributes:
        User-Name = "anuar at ldap"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = "<152><233><<156><157>o<4><246><188>8<9><160><216>}x<153>"

Wed Sep 19 10:32:06 2001: DEBUG: Check if Handler Realm=tm.net.my should be used to handle this request
Wed Sep 19 10:32:06 2001: DEBUG: Check if Handler Realm=sql should be used to handle this request
Wed Sep 19 10:32:06 2001: DEBUG: Check if Handler Realm=ldap should be used to handle this request
Wed Sep 19 10:32:06 2001: DEBUG: Handling request with Handler 'Realm=ldap'
Wed Sep 19 10:32:06 2001: DEBUG: Rewrote user name to anuar
Wed Sep 19 10:32:06 2001: DEBUG:  Deleting session for anuar at ldap, 203.63.154.1, 1234
Wed Sep 19 10:32:06 2001: DEBUG: Handling with Radius::AuthLDAP2
Wed Sep 19 10:32:06 2001: DEBUG: Connecting to ldaptest, port 389
Wed Sep 19 10:32:06 2001: DEBUG: Attempting to bind with , 
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got result for uid=anuar,ou=People, o=tm.net.my, o=isp
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got mailhost: tm.net.my
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got maildeliveryoption: mailbox
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got mailuserstatus: active
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got mail: anuar at tm.net.my
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got objectclass: top person organizationalPerson inetorgperson inetUsere
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got inetuserstatus: active
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got cn: anuar anuar
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got uid: anuar
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got datasource: iPlanet Messaging Server 5.0 Admin Console
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got givenname: anuar
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got sn: anuar
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got creatorsname: uid=admin,ou=Administrators,ou=TopologyManagement,o=Nt
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got modifiersname: uid=admin,ou=Administrators,ou=TopologyManagement,o=t
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got createtimestamp: 20010813065909Z
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got modifytimestamp: 20010813065909Z
Wed Sep 19 10:32:06 2001: DEBUG: Radius::AuthLDAP2 looks for match with anuar
Wed Sep 19 10:32:06 2001: DEBUG: Radius::AuthLDAP2 ACCEPT: 
Wed Sep 19 10:32:06 2001: DEBUG: Access accepted for anuar
Wed Sep 19 10:32:06 2001: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 60398 ....
Code:       Access-Accept
Identifier: 141
Authentic:  1234567890123456
Attributes:
        Framed-Protocol = PPP
        Framed-IP-Netmask = 255.255.255.255
        Framed-Routing = None
        Framed-MTU = 1500
        Framed-Compression = Van-Jacobson-TCP-IP


- Elias -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20010919/ccea5f11/attachment.html>


More information about the radiator mailing list