(RADIATOR) AuthBy LDAP2 looping
Hugh Irvine
hugh at open.com.au
Thu Jan 24 16:06:57 CST 2002
Hello Gustav -
On Fri, 25 Jan 2002 02:36, Gustav Foseid wrote:
> I am about to move authentication to LDAP, but have run into two problems
> with Radiator an LDAP2:
>
> 1) There is incorrect information in the documentation. It says to use %l
> to get the username, but %n og %U works a lot better.
>
The documentation describes the default which is "%1" (percent one).
You can use other special characters as required.
> 2) There seems to be a infinte loop somewhere.
>
> This is the configuration for my test realm:
>
> <Realm ldap>
> <AuthBy LDAP2>
> Host localhost
> BaseDN uid=%U,dc=accounts,dc=sense
> Scope base
> PasswordAttr userPassword
> SearchFilter (uid=%U)
> </AuthBy>
> AcctLogFileName /var/log/radius/acct.log
> AuthLog authlog
> </Realm>
>
> When I authenticate with a corect password everything looks good:
>
> radpwtst -s localhost -secret XX -noacct -auth_port 1812 -user
> s240501 at ldap -password XX
>
> generates this in the logfile and an OK answer:
>
> Thu Jan 24 16:33:46 2002: DEBUG: Handling request with Handler 'Realm=ldap'
> Thu Jan 24 16:33:46 2002: DEBUG: Deleting session for s240501 at ldap,
> 203.63.154.1, 1234 Thu Jan 24 16:33:46 2002: DEBUG: Handling with
> Radius::AuthLDAP2:
> Thu Jan 24 16:33:46 2002: INFO: Connecting to localhost, port 389
> Thu Jan 24 16:33:46 2002: INFO: Attempting to bind with , (server
> localhost:389) Thu Jan 24 16:33:46 2002: DEBUG: LDAP got result for
> uid=s240501,dc=accounts,dc=sense Thu Jan 24 16:33:46 2002: DEBUG: LDAP got
> userPassword: XX
> Thu Jan 24 16:33:46 2002: DEBUG: Radius::AuthLDAP2 looks for match with
> s240501 at ldap Thu Jan 24 16:33:46 2002: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Thu Jan 24 16:33:46 2002: DEBUG: Access accepted for s240501 at ldap
>
> But when I try with an incorrect password (-password XX1 instead) the log
> is filled with lines like this until I stop the radiator daemon:
>
> Thu Jan 24 16:35:38 2002: INFO: Connecting to localhost, port 389
> Thu Jan 24 16:35:38 2002: INFO: Attempting to bind with , (server
> localhost:389) Thu Jan 24 16:35:38 2002: DEBUG: LDAP got result for
> uid=s240501,dc=accounts,dc=sense Thu Jan 24 16:35:38 2002: DEBUG: LDAP got
> userPassword: XX
> Thu Jan 24 16:35:38 2002: DEBUG: Radius::AuthLDAP2 looks for match with
> DEFAULT749 Thu Jan 24 16:35:38 2002: DEBUG: Radius::AuthLDAP2 REJECT: Bad
> Password Thu Jan 24 16:35:38 2002: INFO: Connecting to localhost, port 389
> Thu Jan 24 16:35:38 2002: INFO: Attempting to bind with , (server
> localhost:389) Thu Jan 24 16:35:38 2002: DEBUG: LDAP got result for
> uid=s240501,dc=accounts,dc=sense Thu Jan 24 16:35:38 2002: DEBUG: LDAP got
> userPassword: XX
> Thu Jan 24 16:35:38 2002: DEBUG: Radius::AuthLDAP2 looks for match with
> DEFAULT750 Thu Jan 24 16:35:38 2002: DEBUG: Radius::AuthLDAP2 REJECT: Bad
> Password Thu Jan 24 16:35:38 2002: INFO: Connecting to localhost, port 389
> Thu Jan 24 16:35:38 2002: INFO: Attempting to bind with , (server
> localhost:389) Thu Jan 24 16:35:38 2002: DEBUG: LDAP got result for
> uid=s240501,dc=accounts,dc=sense Thu Jan 24 16:35:38 2002: DEBUG: LDAP got
> userPassword: XX
> Thu Jan 24 16:35:38 2002: DEBUG: Radius::AuthLDAP2 looks for match with
> DEFAULT751
> Thu Jan 24 16:35:38 2002: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
> Thu Jan 24 16:35:38 2002: INFO: Connecting to localhost, port 389
>
> (and so on)
>
> Any ideas?
Some LDAP servers incorrectly return a result when no user is found.
You can use the NoDefault configuration parameter to stop the DEFAULT*
lookups.
<AuthBy LDAP2>
NoDefault
.....
</AuthBy>
regards
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list