(RADIATOR) Help with LDAP auth

Ingvar Berg (ERA) Ingvar.Berg at era.ericsson.se
Wed Sep 19 01:25:48 CDT 2001 

Hello Elias,
 
You probably need to supply some LDAP admin credentials for the bind, because Radiator asks for the userpassword.
 
IMHO, you're better off having the LDAP server check the password, because writing the admin name and pw in your radius cfg file is both a security problem and an update problem (when you change the admin pw). OTOH, user pw will be in clear over the LDAP connection...
 
/Ingvar

-----Original Message-----
From: Elias [mailto:akelias at tm.net.my]
Sent: den 19 september 2001 05:04
To: radiator at open.com.au
Subject: (RADIATOR) Help with LDAP auth


Hi Hugh,
 
I'm experimenting with LDAP for authentication and seem to be stuck. I'm totally new to LDAP and hence am not sure if the problem's with LDAP or my Radiator config. The authentication seems to work if I supply the additional parameter ServerChecksPassword. If I omit this, Radiator will return a "No such user" message all the time. I've included a sample of my config and also the usual trace 4 output.  BTW, I don't know if this is important or not, the password is stored as either userpassword: {SHA}xxxxxxxx or userpassword: {crypt}xxxxxxxxx. The password differs depending on when the user was created. Thanks !
 
 
 
------------------ ldap config ---------------------
 
<Handler Realm=ldap>
        RejectHasReason
        RewriteUsername s/^([^@]+).*/$1/
 
         <AuthBy LDAP2>
                Host            ldaptest
                BaseDN       %0=%1,ou=People,o=tm.net.my,o=isp
                
                # This is the attribute to match the radius user name
                UsernameAttr    uid
                PasswordAttr    userpassword
                #ServerChecksPassword
 
                AddToReply Framed-Protocol = PPP,\
                        Framed-IP-Netmask = 255.255.255.255,\
                        Framed-Routing = None,\
                        Framed-MTU = 1500,\
                        Framed-Compression = Van-Jacobson-TCP-IP
        </AuthBy>
</Handler>

---------------- trace 4 output (without the ServerChecksPassword option) ----------------
Wed Sep 19 10:28:57 2001: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 60377 ....
Code:       Access-Request
Identifier: 206
Authentic:  1234567890123456
Attributes:
        User-Name = " anuar at ldap <mailto:anuar at ldap> "
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = "<152><233><<156><157>o<4><246><188>8<9><160><216>}x<153>"
 
Wed Sep 19 10:28:57 2001: DEBUG: Check if Handler Realm=tm.net.my should be used to handle this request
Wed Sep 19 10:28:57 2001: DEBUG: Check if Handler Realm=sql should be used to handle this request
Wed Sep 19 10:28:57 2001: DEBUG: Check if Handler Realm=ldap should be used to handle this request
Wed Sep 19 10:28:57 2001: DEBUG: Handling request with Handler 'Realm=ldap'
Wed Sep 19 10:28:57 2001: DEBUG: Rewrote user name to anuar
Wed Sep 19 10:28:57 2001: DEBUG:  Deleting session for anuar at ldap <mailto:anuar at ldap> , 203.63.154.1, 1234
Wed Sep 19 10:28:57 2001: DEBUG: Handling with Radius::AuthLDAP2
Wed Sep 19 10:28:57 2001: DEBUG: Connecting to ldaptest, port 389
Wed Sep 19 10:28:57 2001: DEBUG: Attempting to bind with , 
Wed Sep 19 10:28:57 2001: DEBUG: No entries for anuar found in LDAP database
Wed Sep 19 10:28:57 2001: DEBUG: Radius::AuthLDAP2 looks for match with anuar
Wed Sep 19 10:28:57 2001: DEBUG: Connecting to ldaptest, port 389
Wed Sep 19 10:28:57 2001: DEBUG: Attempting to bind with , 
Wed Sep 19 10:28:57 2001: ERR: ldap search failed with error LDAP_NO_SUCH_OBJECT.
Wed Sep 19 10:28:57 2001: INFO: Access rejected for anuar: No such user
Wed Sep 19 10:28:57 2001: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 60377 ....
Code:       Access-Reject
Identifier: 206
Authentic:  1234567890123456
Attributes:
        Reply-Message = "No such user"

 
-------------------- trace 4 output (with the ServerChecksPassword option) ---------------------
 
Wed Sep 19 10:32:06 2001: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 60398 ....
Code:       Access-Request
Identifier: 141
Authentic:  1234567890123456
Attributes:
        User-Name = " anuar at ldap <mailto:anuar at ldap> "
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = "<152><233><<156><157>o<4><246><188>8<9><160><216>}x<153>"
 
Wed Sep 19 10:32:06 2001: DEBUG: Check if Handler Realm=tm.net.my should be used to handle this request
Wed Sep 19 10:32:06 2001: DEBUG: Check if Handler Realm=sql should be used to handle this request
Wed Sep 19 10:32:06 2001: DEBUG: Check if Handler Realm=ldap should be used to handle this request
Wed Sep 19 10:32:06 2001: DEBUG: Handling request with Handler 'Realm=ldap'
Wed Sep 19 10:32:06 2001: DEBUG: Rewrote user name to anuar
Wed Sep 19 10:32:06 2001: DEBUG:  Deleting session for anuar at ldap <mailto:anuar at ldap> , 203.63.154.1, 1234
Wed Sep 19 10:32:06 2001: DEBUG: Handling with Radius::AuthLDAP2
Wed Sep 19 10:32:06 2001: DEBUG: Connecting to ldaptest, port 389
Wed Sep 19 10:32:06 2001: DEBUG: Attempting to bind with , 
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got result for uid=anuar,ou=People, o=tm.net.my, o=isp
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got mailhost: tm.net.my
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got maildeliveryoption: mailbox
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got mailuserstatus: active
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got mail: anuar at tm.net.my <mailto:anuar at tm.net.my> 
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got objectclass: top person organizationalPerson inetorgperson inetUsere
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got inetuserstatus: active
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got cn: anuar anuar
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got uid: anuar
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got datasource: iPlanet Messaging Server 5.0 Admin Console
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got givenname: anuar
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got sn: anuar
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got creatorsname: uid=admin,ou=Administrators,ou=TopologyManagement,o=Nt
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got modifiersname: uid=admin,ou=Administrators,ou=TopologyManagement,o=t
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got createtimestamp: 20010813065909Z
Wed Sep 19 10:32:06 2001: DEBUG: LDAP got modifytimestamp: 20010813065909Z
Wed Sep 19 10:32:06 2001: DEBUG: Radius::AuthLDAP2 looks for match with anuar
Wed Sep 19 10:32:06 2001: DEBUG: Radius::AuthLDAP2 ACCEPT: 
Wed Sep 19 10:32:06 2001: DEBUG: Access accepted for anuar
Wed Sep 19 10:32:06 2001: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 60398 ....
Code:       Access-Accept
Identifier: 141
Authentic:  1234567890123456
Attributes:
        Framed-Protocol = PPP
        Framed-IP-Netmask = 255.255.255.255
        Framed-Routing = None
        Framed-MTU = 1500
        Framed-Compression = Van-Jacobson-TCP-IP

 
- Elias -

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list