(RADIATOR) AuthBy LDAP2 looping

Hugh Irvine hugh at open.com.au
Thu Jan 24 16:06:57 CST 2002 

Hello Gustav -

On Fri, 25 Jan 2002 02:36, Gustav Foseid wrote:
> I am about to move authentication to LDAP, but have run into two problems
> with Radiator an LDAP2:
>
> 1) There is incorrect information in the documentation. It says to use %l
>    to get the username, but %n og %U works a lot better.
>

The documentation describes the default which is "%1" (percent one).

You can use other special characters as required.

> 2) There seems to be a infinte loop somewhere.
>
> This is the configuration for my test realm:
>
> <Realm ldap>
>         <AuthBy LDAP2>
>                 Host localhost
>                 BaseDN uid=%U,dc=accounts,dc=sense
>                 Scope base
>                 PasswordAttr    userPassword
>                 SearchFilter (uid=%U)
>         </AuthBy>
>         AcctLogFileName /var/log/radius/acct.log
>         AuthLog authlog
> </Realm>
>
> When I authenticate with a corect password everything looks good:
>
> radpwtst  -s localhost -secret XX -noacct -auth_port 1812 -user
> s240501 at ldap -password XX
>
> generates this in the logfile and an OK answer:
>
> Thu Jan 24 16:33:46 2002: DEBUG: Handling request with Handler 'Realm=ldap'
> Thu Jan 24 16:33:46 2002: DEBUG:  Deleting session for s240501 at ldap,
> 203.63.154.1, 1234 Thu Jan 24 16:33:46 2002: DEBUG: Handling with
> Radius::AuthLDAP2:
> Thu Jan 24 16:33:46 2002: INFO: Connecting to localhost, port 389
> Thu Jan 24 16:33:46 2002: INFO: Attempting to bind with ,  (server
> localhost:389) Thu Jan 24 16:33:46 2002: DEBUG: LDAP got result for
> uid=s240501,dc=accounts,dc=sense Thu Jan 24 16:33:46 2002: DEBUG: LDAP got
> userPassword: XX
> Thu Jan 24 16:33:46 2002: DEBUG: Radius::AuthLDAP2 looks for match with
> s240501 at ldap Thu Jan 24 16:33:46 2002: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Thu Jan 24 16:33:46 2002: DEBUG: Access accepted for s240501 at ldap
>
> But when I try with an incorrect password (-password XX1 instead) the log
> is filled with lines like this until I stop the radiator daemon:
>
> Thu Jan 24 16:35:38 2002: INFO: Connecting to localhost, port 389
> Thu Jan 24 16:35:38 2002: INFO: Attempting to bind with ,  (server
> localhost:389) Thu Jan 24 16:35:38 2002: DEBUG: LDAP got result for
> uid=s240501,dc=accounts,dc=sense Thu Jan 24 16:35:38 2002: DEBUG: LDAP got
> userPassword: XX
> Thu Jan 24 16:35:38 2002: DEBUG: Radius::AuthLDAP2 looks for match with
> DEFAULT749 Thu Jan 24 16:35:38 2002: DEBUG: Radius::AuthLDAP2 REJECT: Bad
> Password Thu Jan 24 16:35:38 2002: INFO: Connecting to localhost, port 389
> Thu Jan 24 16:35:38 2002: INFO: Attempting to bind with ,  (server
> localhost:389) Thu Jan 24 16:35:38 2002: DEBUG: LDAP got result for
> uid=s240501,dc=accounts,dc=sense Thu Jan 24 16:35:38 2002: DEBUG: LDAP got
> userPassword: XX
> Thu Jan 24 16:35:38 2002: DEBUG: Radius::AuthLDAP2 looks for match with
> DEFAULT750 Thu Jan 24 16:35:38 2002: DEBUG: Radius::AuthLDAP2 REJECT: Bad
> Password Thu Jan 24 16:35:38 2002: INFO: Connecting to localhost, port 389
> Thu Jan 24 16:35:38 2002: INFO: Attempting to bind with ,  (server
> localhost:389) Thu Jan 24 16:35:38 2002: DEBUG: LDAP got result for
> uid=s240501,dc=accounts,dc=sense Thu Jan 24 16:35:38 2002: DEBUG: LDAP got
> userPassword: XX
> Thu Jan 24 16:35:38 2002: DEBUG: Radius::AuthLDAP2 looks for match with
> DEFAULT751
> Thu Jan 24 16:35:38 2002: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
> Thu Jan 24 16:35:38 2002: INFO: Connecting to localhost, port 389
>
> (and so on)
>
> Any ideas?

Some LDAP servers incorrectly return a result when no user is found.

You can use the NoDefault configuration parameter to stop the DEFAULT* 
lookups.

	<AuthBy LDAP2>
		NoDefault
		.....
	</AuthBy>

regards

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list