(RADIATOR) AuthBy LDAP2 looping

Gustav Foseid gustavf-radiator at initio.no
Thu Jan 24 09:36:44 CST 2002 

I am about to move authentication to LDAP, but have run into two problems
with Radiator an LDAP2:

1) There is incorrect information in the documentation. It says to use %l
   to get the username, but %n og %U works a lot better.

2) There seems to be a infinte loop somewhere.

This is the configuration for my test realm:

<Realm ldap>
        <AuthBy LDAP2>
                Host localhost
                BaseDN uid=%U,dc=accounts,dc=sense
                Scope base
                PasswordAttr    userPassword
                SearchFilter (uid=%U)
        </AuthBy>
        AcctLogFileName /var/log/radius/acct.log
        AuthLog authlog
</Realm>

When I authenticate with a corect password everything looks good:

radpwtst  -s localhost -secret XX -noacct -auth_port 1812 -user s240501 at ldap -password XX

generates this in the logfile and an OK answer:

Thu Jan 24 16:33:46 2002: DEBUG: Handling request with Handler 'Realm=ldap'
Thu Jan 24 16:33:46 2002: DEBUG:  Deleting session for s240501 at ldap, 203.63.154.1, 1234
Thu Jan 24 16:33:46 2002: DEBUG: Handling with Radius::AuthLDAP2: 
Thu Jan 24 16:33:46 2002: INFO: Connecting to localhost, port 389
Thu Jan 24 16:33:46 2002: INFO: Attempting to bind with ,  (server localhost:389)
Thu Jan 24 16:33:46 2002: DEBUG: LDAP got result for uid=s240501,dc=accounts,dc=sense
Thu Jan 24 16:33:46 2002: DEBUG: LDAP got userPassword: XX
Thu Jan 24 16:33:46 2002: DEBUG: Radius::AuthLDAP2 looks for match with s240501 at ldap
Thu Jan 24 16:33:46 2002: DEBUG: Radius::AuthLDAP2 ACCEPT: 
Thu Jan 24 16:33:46 2002: DEBUG: Access accepted for s240501 at ldap

But when I try with an incorrect password (-password XX1 instead) the log
is filled with lines like this until I stop the radiator daemon:

Thu Jan 24 16:35:38 2002: INFO: Connecting to localhost, port 389
Thu Jan 24 16:35:38 2002: INFO: Attempting to bind with ,  (server localhost:389)
Thu Jan 24 16:35:38 2002: DEBUG: LDAP got result for uid=s240501,dc=accounts,dc=sense
Thu Jan 24 16:35:38 2002: DEBUG: LDAP got userPassword: XX
Thu Jan 24 16:35:38 2002: DEBUG: Radius::AuthLDAP2 looks for match with DEFAULT749
Thu Jan 24 16:35:38 2002: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Thu Jan 24 16:35:38 2002: INFO: Connecting to localhost, port 389
Thu Jan 24 16:35:38 2002: INFO: Attempting to bind with ,  (server localhost:389)
Thu Jan 24 16:35:38 2002: DEBUG: LDAP got result for uid=s240501,dc=accounts,dc=sense
Thu Jan 24 16:35:38 2002: DEBUG: LDAP got userPassword: XX
Thu Jan 24 16:35:38 2002: DEBUG: Radius::AuthLDAP2 looks for match with DEFAULT750
Thu Jan 24 16:35:38 2002: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Thu Jan 24 16:35:38 2002: INFO: Connecting to localhost, port 389
Thu Jan 24 16:35:38 2002: INFO: Attempting to bind with ,  (server localhost:389)
Thu Jan 24 16:35:38 2002: DEBUG: LDAP got result for uid=s240501,dc=accounts,dc=sense
Thu Jan 24 16:35:38 2002: DEBUG: LDAP got userPassword: XX
Thu Jan 24 16:35:38 2002: DEBUG: Radius::AuthLDAP2 looks for match with
DEFAULT751
Thu Jan 24 16:35:38 2002: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Thu Jan 24 16:35:38 2002: INFO: Connecting to localhost, port 389

(and so on)

Any ideas?

-- 
Gustav Foseid, Initio IT-løsninger AS
http://www.initio.no/
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list