(RADIATOR) closer:LDAP_INVALID_CREDENTIALS
Jeremy Hinton
jgh at visi.net
Tue Apr 15 10:07:08 CDT 2003
Bill,
We're using CGate Pro here via AuthBy LDAP2 without problems. Our
LDAP schema is slightly different though: uid=username,cn=domain. A couple
suggestions:
- For AuthDN, try just using the username of the authentication account,
rather than the full DN.
- Run radius with LogStdOut and Foreground set in the config file, and put
"Debug 255" in the <AuthBy LDAP2> clause. This will show you the raw LDAP
queries and responses, very useful in debugging. just remember to remove it
before production ;).
- Don't try to use ServerChecksPassword (required if you A-crypt the
passwd). CGate stalls an auth request for like 2 seconds on a failed login
(to prevent mass passwd hacking), but as the LDAP module is single
threaded, this can cause mass traffic jams on a busy server with a couple
failed repeated login attempts. We found this out the hard way. Just use
the normal behavior of retrieving the password and comparing it (requires
clear-text or u-crypt passwords).
- Use SearchFilter and Scope to speed up the request.
Heres our AuthBy LDAP clause, though you'll need to adjust it for your
schema and auth username.
<AuthBy LDAP2>
Identifier CGate_via_LDAP
DefaultSimultaneousUse 1
NoDefault
EAPType notpermitted # needed to work with nortel 5399/8000
Host <x.x.x.x>
AuthDN <auth-username>
AuthPassword <auth-password>
Scope base
BaseDN %0=%U,cn=%R
PasswordAttr userPassword
SearchFilter (%0=%U)
FailureBackoffTime 10
Timeout 2
</AuthBy>
Note this may not be the best way to do this, i haven't revisited this in a
year or so, and i do see a few things i might try to change now ;). We also
have a DefaultRealm set in our client clauses, so the %R realm will match
our communigate main domain name. Also, make sure your <auth-username>
account has access right in the directory to access all the needed
attributes, like UserPassword. Hope this helps.
- jeremy
At 06:08 PM 4/14/2003, Bill Davies wrote:
>Well, I am getting closer. Sorry for being so dense about this.
>
>
>
>I see two areas with errors:
>
>
>
>
>1. Radiator debug log says NAS IP address is at 203.63.154.1 -- so what
>config file did I miss that is giving it that IP number? (We have no
>machine on our network with that IP address, nor does the machine I use at
>work have that IP address.) Our NAS IP should be 192.168.1.2
>
>Attributes:
> User-Name = "bdavies"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password =
> "<131><232>5<204><220>k5<128><188>8<9><160><216>}x<153>"
>
>
>
>I don't see that IP number in my config file that I am trying to build
>(macnexus.cfg)
>
>
>
>
>
>
>
>
>
>2. I'm seeing LDAP_INVALID_CREDENTIALS
>
>
>According to Stalker Software, their matrix is like this:
>
>Communigate Pro Name Directory
>Password userPassword
>RealName cn
>
>
>Satlker suggested if Directory Integration -> Domain Subtree is blank, try
>using "top" instead of leaving that value blank, but I'm not sure where I
>would put 'top'.
>
>Values surrounded by * * are things I changed in the sample LDAP config file.
>
>
>I must have something screwy in my config file? Excerpt below:
>
><Realm DEFAULT>
> <AuthBy LDAP2>
> # Tell Radiator how to talk to the LDAP server
> Host 192.168.1.19
>
> # You will only need these if your LDAP server
> # requires authentication. These are the examples
> # in a default OpenLDAP installation
> # see /etc/openldap/slapd.conf
> AuthDN cn=*ldapadminname*, dc=macnexus.org, dc=com
> AuthPassword *pw*
>
> # This the top of the search tree where users
> # will be found. It should match the configuration
> # of your server, see /etc/openldap/slapd.conf
> BaseDN dc=macnexus.org, dc=com
>
> # This is the LDAP attribute to match the radius user name
> UsernameAttr cn
>
> # If you dont specify ServerChecksPassword, you
> # need to tell Radiator wjhich attribute contains
> # the password. It can be plaintext or encrypted
> PasswordAttr *userPassword*
>
> # You can use CheckAttr, ReplyAttr and AuthAttrDef
> # to specify check and reply attributes in the LDAP
> # database. See the reference manual for more
> # information
> #AuthAttrDef ipaddress,Framed-IP-Address,reply
>
> # These are the classic things to add to each users
> # reply to allow a PPP dialup session. It may be
> # different for your NAS. This will add some
> # reply items to everyone's reply
> AddToReply Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> Framed-Routing = None,\
> Framed-MTU = 1500,\
> Framed-Compression = Van-Jacobson-TCP-IP
>
>
>===
>Archive at http://www.open.com.au/archives/radiator/
>Announcements on radiator-announce at open.com.au
>To unsubscribe, email 'majordomo at open.com.au' with
>'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list