(RADIATOR) Auth by SQL , then Auth by LDAP

Wed Apr 23 10:04:50 CDT 2003

Hello,

I'm having a problem which is this:

When a user logs in , it checks the SQL database, then checks LDAP .
What I want it to do is check the SQL database , if it finds a password, then don't check LDAP .
Right now, it finds a password in SQL , then can't find one in LDAP and denies the user.

Anyone know why this would happen and how to fix it ?

User cty23243 is found in ldap and will auth , but user dev1 is not in LDAP ,
but is in the database. However, he will not authenticate.

Here is my config and log file .

Thanks,
Al

Foreground
LogStdout
LogDir		.
DbDir		.

<Client DEFAULT>

	Secret letMEin
	DupInterval 0

</Client>

<SessionDatabase SQL>

	DBSource dbi:mysql:radius
	DBUsername XXXX
	DBAuth XXXX
	Identifier SQLS

		AddQuery insert into RADONLINE (USERNAME,\
		NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,\
		FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, ip) \
		values ('%n', '%N',\
		%{NAS-Port}, '%{Acct-Session-Id}', '%o',\
		'%{Framed-IP-Address}', '%{NAS-Port-Type}', \
		'%{Service-Type}', '%c')

</SessionDatabase>

	Trace 4

<ClientListSQL>

	DBSource	dbi:mysql:radius
        DBUsername	XXXX
	DBAuth		XXXX

</ClientListSQL>

<AuthBy SQL>
	DefaultSimultaneousUse 1
	Identifier CheckSQL
	DefaultSimultaneousUse 1

	DBSource	dbi:mysql:radius
	DBUsername      XXXX
	DBAuth		XXXX

		AccountingTable	ACCOUNTING
		AcctColumnDef	USERNAME,User-Name
		AcctColumnDef	TIME_STAMP,Timestamp,integer
		AcctColumnDef	ACCTSTATUSTYPE,Acct-Status-Type
		AcctColumnDef	ACCTDELAYTIME,Acct-Delay-Time,integer
		AcctColumnDef	ACCTINPUTOCTETS,Acct-Input-Octets,integer
		AcctColumnDef	ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
		AcctColumnDef	ACCTSESSIONID,Acct-Session-Id
		AcctColumnDef	ACCTSESSIONTIME,Acct-Session-Time,integer
		AcctColumnDef	ACCTTERMINATECAUSE,Acct-Terminate-Cause
		AcctColumnDef	NASIDENTIFIER,NAS-Identifier
		AcctColumnDef	NASPORT,NAS-Port,integer
		AcctColumnDef	FRAMEDIPADDRESS,Framed-IP-Address

</AuthBy>

<AuthBy UNIX>

	DefaultSimultaneousUse 1
        Identifier System
        Filename /etc/shadow

</AuthBy>

<AuthBy PORTLIMITCHECK>

	DefaultSimultaneousUse 1
	Identifier checkport
        SessionLimit 1

</AuthBy PORTLIMITCHECK>

<AuthBy LDAP2>

        Identifier LDAP
        Host    127.0.0.1
        Port    389
        AuthDN  uid=searchuser,dc=XXXX,dc=net
        AuthPassword   XXXX
        BaseDN  %0=%1,ou=people,dc=XXXX,dc=net
        Scope   base
        UsernameAttr    uid
        PasswordAttr    userPassword
        HoldServerConnection
        SearchFilter (&(gecos=active)(uid=%1))
        AuthAttrDef gidNumber, gid-attr, request

</AuthBy>

<Realm DEFAULT>

	RewriteUsername s/^([^@]+).*/$1/
	RewriteUsername         s/\s+//g
	RewriteUsername         tr/A-Z/a-z/

 	AuthByPolicy ContinueAlways

		AuthBy CheckSQL
		AuthBy LDAP
		#AuthBy checkport

 	PostAuthHook file:"postHook"
        AcctLogFileName detail
</Realm>

-------------------------------------------------------------------------------

Wed Apr 23 09:46:59 2003: DEBUG: Adding Clients from SQL database
Wed Apr 23 09:46:59 2003: DEBUG: Query is: select
	NASIDENTIFIER,
	SECRET,
	IGNOREACCTSIGNATURE,
	DUPINTERVAL,
	DEFAULTREALM,
	NASTYPE,
	SNMPCOMMUNITY,
	LIVINGSTONOFFS,
	LIVINGSTONHOLE,
	FRAMEDGROUPBASEADDRESS,
	FRAMEDGROUPMAXPORTSPERCLASSC,
	REWRITEUSERNAME,
	NOIGNOREDUPLICATES,
	PREHANDLERHOOK from RADCLIENTLIST

Wed Apr 23 09:47:00 2003: DEBUG: Reading group file /etc/group
Wed Apr 23 09:47:02 2003: DEBUG: Creating authentication port 0.0.0.0:1645
Wed Apr 23 09:47:02 2003: DEBUG: Creating accounting port 0.0.0.0:1646
Wed Apr 23 09:47:02 2003: INFO: Server started: Radiator 3.4 on raddb-test
Wed Apr 23 09:47:19 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 33026 ....
Code:       Access-Request
Identifier: 4
Authentic:  1234567890123456
Attributes:
	User-Name = "cty23243"
	Service-Type = Framed-User
	Client-Id = 203.63.154.1
	NAS-Port = 1234
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	NAS-Port-Type = Async
	User-Password = "<158><216><162>Y<171><142>Xx<31><235><251><167><228>B<161>d"

Wed Apr 23 09:47:19 2003: ERR: Error while rewriting username cty23243: syntax error at (eval 30) line 2, at EOF

Wed Apr 23 09:47:19 2003: DEBUG: Rewrote user name to cty23243
Wed Apr 23 09:47:19 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Apr 23 09:47:19 2003: DEBUG: Rewrote user name to cty23243
Wed Apr 23 09:47:19 2003: DEBUG: Rewrote user name to cty23243
Wed Apr 23 09:47:19 2003: DEBUG: Rewrote user name to cty23243
Wed Apr 23 09:47:19 2003: DEBUG: SQLS Deleting session for cty23243, 203.63.154.1, 1234
Wed Apr 23 09:47:19 2003: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='203.63.154.1' and NASPORT=1234

Wed Apr 23 09:47:19 2003: DEBUG: Handling with Radius::AuthSQL
Wed Apr 23 09:47:19 2003: DEBUG: Handling with Radius::AuthSQL: CheckSQL
Wed Apr 23 09:47:19 2003: ERR: Attribute number 79 is not defined in your dictionary
Wed Apr 23 09:47:19 2003: DEBUG: Query is: select PASSWORD from SUBSCRIBERS where USERNAME='cty23243'

Wed Apr 23 09:47:19 2003: DEBUG: Radius::AuthSQL looks for match with cty23243
Wed Apr 23 09:47:19 2003: DEBUG: Query is: select PASSWORD from SUBSCRIBERS where USERNAME='DEFAULT'

Wed Apr 23 09:47:19 2003: DEBUG: Radius::AuthSQL looks for match with DEFAULT
Wed Apr 23 09:47:19 2003: DEBUG: Radius::AuthSQL REJECT: Bad Password
Wed Apr 23 09:47:19 2003: DEBUG: Query is: select PASSWORD from SUBSCRIBERS where USERNAME='DEFAULT1'

Wed Apr 23 09:47:20 2003: DEBUG: Radius::AuthSQL looks for match with DEFAULT1
Wed Apr 23 09:47:20 2003: DEBUG: Radius::AuthSQL REJECT: Bad Password
Wed Apr 23 09:47:20 2003: DEBUG: Query is: select PASSWORD from SUBSCRIBERS where USERNAME='DEFAULT2'

Wed Apr 23 09:47:20 2003: DEBUG: Handling with Radius::AuthLDAP2: LDAP
Wed Apr 23 09:47:20 2003: INFO: Connecting to 127.0.0.1, port 389
Wed Apr 23 09:47:20 2003: INFO: Attempting to bind with uid=searchuser,dc=XXXX,dc=net, XXXX (server 127.0.0.1:389)
Wed Apr 23 09:47:20 2003: DEBUG: LDAP got result for uid=cty23243,ou=People,dc=centurytel,dc=net
Wed Apr 23 09:47:20 2003: DEBUG: LDAP got userPassword: {crypt}8UyUp0jaGti9o
Wed Apr 23 09:47:20 2003: DEBUG: LDAP got gidNumber: 3000
Wed Apr 23 09:47:20 2003: DEBUG: Radius::AuthLDAP2 looks for match with cty23243
Wed Apr 23 09:47:20 2003: DEBUG: Radius::AuthLDAP2 ACCEPT:
Wed Apr 23 09:47:20 2003: DEBUG: Access accepted for cty23243
Wed Apr 23 09:47:20 2003: WARNING: No such attribute Framed-IP-Netmask
Wed Apr 23 09:47:20 2003: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 33026 ....
Code:       Access-Accept
Identifier: 4
Authentic:  1234567890123456
Attributes:
	Service-Type = Framed-User
	Framed-Protocol = PPP
	Framed-IP-Address = 255.255.255.254
	Framed-IP-Netmask = 255.255.255.255
	Port-Limit = 1
	Idle-Timeout = 1200
	Session-Timeout = 28800
	Class = "dnd00"

Wed Apr 23 09:47:20 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 33026 ....
Code:       Accounting-Request
Identifier: 5
Authentic:  <5><130><160><254><185>h<178><29><22><247>Q&<212><129><17>n
Attributes:
	User-Name = "cty23243"
	Service-Type = Framed-User
	Client-Id = 203.63.154.1
	NAS-Port = 1234
	NAS-Port-Type = Async
	Acct-Session-Id = "00001234"
	Acct-Status-Type = Start
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	Framed-IP-Address = 255.255.255.254
	Acct-Delay-Time = 0
	Class = "dnd00"

Wed Apr 23 09:47:20 2003: ERR: Error while rewriting username cty23243: syntax error at (eval 34) line 2, at EOF

Wed Apr 23 09:47:20 2003: DEBUG: Rewrote user name to cty23243
Wed Apr 23 09:47:20 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Apr 23 09:47:20 2003: DEBUG: Rewrote user name to cty23243
Wed Apr 23 09:47:20 2003: DEBUG: Rewrote user name to cty23243
Wed Apr 23 09:47:20 2003: DEBUG: Rewrote user name to cty23243
Wed Apr 23 09:47:20 2003: DEBUG: SQLS Adding session for cty23243, 203.63.154.1, 1234
Wed Apr 23 09:47:20 2003: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='203.63.154.1' and NASPORT=1234

Wed Apr 23 09:47:20 2003: DEBUG: do query is: insert into RADONLINE (USERNAME,NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, ip) values ('cty23243', '203.63.154.1',1234, '00001234', 'Wed Apr 23 09:47:20 2003','255.255.255.254', 'Async', 'Framed-User', '127.0.0.1')

Wed Apr 23 09:47:20 2003: DEBUG: Handling with Radius::AuthSQL
Wed Apr 23 09:47:20 2003: DEBUG: Handling accounting with Radius::AuthSQL
Wed Apr 23 09:47:20 2003: DEBUG: do query is: insert into ACCOUNTING (NASPORT,ACCTDELAYTIME,USERNAME,FRAMEDIPADDRESS,ACCTSTATUSTYPE,ACCTSESSIONID,TIME_STAMP) values (1234,0,'cty23243','255.255.255.254','Start','00001234',1051109240)

Wed Apr 23 09:47:20 2003: DEBUG: Handling with Radius::AuthLDAP2: LDAP
Wed Apr 23 09:47:20 2003: DEBUG: Accounting accepted
Wed Apr 23 09:47:20 2003: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 33026 ....
Code:       Accounting-Response
Identifier: 5
Authentic:  <5><130><160><254><185>h<178><29><22><247>Q&<212><129><17>n
Attributes:

Wed Apr 23 09:47:20 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 33026 ....
Code:       Accounting-Request
Identifier: 6
Authentic:  <133><234>e'<29><194>o*<238><174><168>g<215><246><29>3
Attributes:
	User-Name = "cty23243"
	Service-Type = Framed-User
	Client-Id = 203.63.154.1
	NAS-Port = 1234
	NAS-Port-Type = Async
	Acct-Session-Id = "00001234"
	Acct-Status-Type = Stop
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	Framed-IP-Address = 255.255.255.254
	Acct-Delay-Time = 0
	Acct-Session-Time = 1000
	Acct-Input-Octets = 20000
	Acct-Output-Octets = 30000
	Class = "dnd00"

Wed Apr 23 09:47:20 2003: ERR: Error while rewriting username cty23243: syntax error at (eval 38) line 2, at EOF

Wed Apr 23 09:47:20 2003: DEBUG: Rewrote user name to cty23243
Wed Apr 23 09:47:20 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Apr 23 09:47:20 2003: DEBUG: Rewrote user name to cty23243
Wed Apr 23 09:47:20 2003: DEBUG: Rewrote user name to cty23243
Wed Apr 23 09:47:20 2003: DEBUG: Rewrote user name to cty23243
Wed Apr 23 09:47:20 2003: DEBUG: SQLS Deleting session for cty23243, 203.63.154.1, 1234
Wed Apr 23 09:47:20 2003: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='203.63.154.1' and NASPORT=1234

Wed Apr 23 09:47:20 2003: DEBUG: Handling with Radius::AuthSQL
Wed Apr 23 09:47:20 2003: DEBUG: Handling accounting with Radius::AuthSQL
Wed Apr 23 09:47:20 2003: DEBUG: do query is: insert into ACCOUNTING (NASPORT,ACCTSESSIONTIME,ACCTDELAYTIME,ACCTINPUTOCTETS,USERNAME,FRAMEDIPADDRESS,ACCTOUTPUTOCTETS,ACCTSTATUSTYPE,ACCTSESSIONID,TIME_STAMP) values (1234,1000,0,20000,'cty23243','255.255.255.254',30000,'Stop','00001234',1051109240)

Wed Apr 23 09:47:20 2003: DEBUG: Handling with Radius::AuthLDAP2: LDAP
Wed Apr 23 09:47:20 2003: DEBUG: Accounting accepted
Wed Apr 23 09:47:20 2003: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 33026 ....
Code:       Accounting-Response
Identifier: 6
Authentic:  <133><234>e'<29><194>o*<238><174><168>g<215><246><29>3
Attributes:

Wed Apr 23 09:47:33 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 33027 ....
Code:       Access-Request
Identifier: 18
Authentic:  1234567890123456
Attributes:
	User-Name = "dev1"
	Service-Type = Framed-User
	Client-Id = 203.63.154.1
	NAS-Port = 1234
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	NAS-Port-Type = Async
	User-Password = "<219><138><165>p<129><151><0><2><31><235><251><167><228>B<161>d"

Wed Apr 23 09:47:33 2003: ERR: Error while rewriting username dev1: syntax error at (eval 42) line 2, at EOF

Wed Apr 23 09:47:33 2003: DEBUG: Rewrote user name to dev1
Wed Apr 23 09:47:33 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Apr 23 09:47:33 2003: DEBUG: Rewrote user name to dev1
Wed Apr 23 09:47:33 2003: DEBUG: Rewrote user name to dev1
Wed Apr 23 09:47:33 2003: DEBUG: Rewrote user name to dev1
Wed Apr 23 09:47:33 2003: DEBUG: SQLS Deleting session for dev1, 203.63.154.1, 1234
Wed Apr 23 09:47:33 2003: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='203.63.154.1' and NASPORT=1234

Wed Apr 23 09:47:33 2003: DEBUG: Handling with Radius::AuthSQL
Wed Apr 23 09:47:33 2003: DEBUG: Handling with Radius::AuthSQL: CheckSQL
Wed Apr 23 09:47:33 2003: ERR: Attribute number 79 is not defined in your dictionary
Wed Apr 23 09:47:33 2003: DEBUG: Query is: select PASSWORD from SUBSCRIBERS where USERNAME='dev1'

Wed Apr 23 09:47:33 2003: DEBUG: Radius::AuthSQL looks for match with dev1
Wed Apr 23 09:47:33 2003: DEBUG: Query is: select NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME='dev1'

Wed Apr 23 09:47:33 2003: DEBUG: Radius::AuthSQL ACCEPT:
Wed Apr 23 09:47:33 2003: DEBUG: Handling with Radius::AuthLDAP2: LDAP
Wed Apr 23 09:47:33 2003: ERR: ldap search failed with error LDAP_NO_SUCH_OBJECT.
Wed Apr 23 09:47:33 2003: DEBUG: Radius::AuthLDAP2 looks for match with dev1
Wed Apr 23 09:47:33 2003: ERR: ldap search failed with error LDAP_NO_SUCH_OBJECT.
Wed Apr 23 09:47:33 2003: INFO: Access rejected for dev1: No such user
Wed Apr 23 09:47:33 2003: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 33027 ....
Code:       Access-Reject
Identifier: 18
Authentic:  1234567890123456
Attributes:
	Port-Message = "Request Denied"

Wed Apr 23 09:47:33 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 33027 ....
Code:       Accounting-Request
Identifier: 19
Authentic:  <191>x<216>m<229>i<163>h<148><229>$<138>@<172><245>G
Attributes:
	User-Name = "dev1"
	Service-Type = Framed-User
	Client-Id = 203.63.154.1
	NAS-Port = 1234
	NAS-Port-Type = Async
	Acct-Session-Id = "00001234"
	Acct-Status-Type = Start
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	Acct-Delay-Time = 0

Wed Apr 23 09:47:33 2003: ERR: Error while rewriting username dev1: syntax error at (eval 46) line 2, at EOF

Wed Apr 23 09:47:33 2003: DEBUG: Rewrote user name to dev1
Wed Apr 23 09:47:33 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Apr 23 09:47:33 2003: DEBUG: Rewrote user name to dev1
Wed Apr 23 09:47:33 2003: DEBUG: Rewrote user name to dev1
Wed Apr 23 09:47:33 2003: DEBUG: Rewrote user name to dev1
Wed Apr 23 09:47:33 2003: DEBUG: SQLS Adding session for dev1, 203.63.154.1, 1234
Wed Apr 23 09:47:33 2003: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='203.63.154.1' and NASPORT=1234

Wed Apr 23 09:47:33 2003: DEBUG: do query is: insert into RADONLINE (USERNAME,NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, ip) values ('dev1', '203.63.154.1',1234, '00001234', 'Wed Apr 23 09:47:33 2003','', 'Async', 'Framed-User', '127.0.0.1')

Wed Apr 23 09:47:33 2003: DEBUG: Handling with Radius::AuthSQL
Wed Apr 23 09:47:33 2003: DEBUG: Handling accounting with Radius::AuthSQL
Wed Apr 23 09:47:33 2003: DEBUG: do query is: insert into ACCOUNTING (NASPORT,ACCTDELAYTIME,USERNAME,ACCTSTATUSTYPE,ACCTSESSIONID,TIME_STAMP) values (1234,0,'dev1','Start','00001234',1051109253)

Wed Apr 23 09:47:33 2003: DEBUG: Handling with Radius::AuthLDAP2: LDAP
Wed Apr 23 09:47:33 2003: DEBUG: Accounting accepted
Wed Apr 23 09:47:33 2003: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 33027 ....
Code:       Accounting-Response
Identifier: 19
Authentic:  <191>x<216>m<229>i<163>h<148><229>$<138>@<172><245>G
Attributes:

Wed Apr 23 09:47:33 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 33027 ....
Code:       Accounting-Request
Identifier: 20
Authentic:  <173>l<218>A<135>I<212>V<142><14><254><5><140>3Y<142>
Attributes:
	User-Name = "dev1"
	Service-Type = Framed-User
	Client-Id = 203.63.154.1
	NAS-Port = 1234
	NAS-Port-Type = Async
	Acct-Session-Id = "00001234"
	Acct-Status-Type = Stop
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	Acct-Delay-Time = 0
	Acct-Session-Time = 1000
	Acct-Input-Octets = 20000
	Acct-Output-Octets = 30000

Wed Apr 23 09:47:33 2003: ERR: Error while rewriting username dev1: syntax error at (eval 50) line 2, at EOF

Wed Apr 23 09:47:33 2003: DEBUG: Rewrote user name to dev1
Wed Apr 23 09:47:33 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Apr 23 09:47:33 2003: DEBUG: Rewrote user name to dev1
Wed Apr 23 09:47:33 2003: DEBUG: Rewrote user name to dev1
Wed Apr 23 09:47:33 2003: DEBUG: Rewrote user name to dev1
Wed Apr 23 09:47:33 2003: DEBUG: SQLS Deleting session for dev1, 203.63.154.1, 1234
Wed Apr 23 09:47:33 2003: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='203.63.154.1' and NASPORT=1234

Wed Apr 23 09:47:33 2003: DEBUG: Handling with Radius::AuthSQL
Wed Apr 23 09:47:33 2003: DEBUG: Handling accounting with Radius::AuthSQL
Wed Apr 23 09:47:33 2003: DEBUG: do query is: insert into ACCOUNTING (NASPORT,ACCTSESSIONTIME,ACCTDELAYTIME,ACCTINPUTOCTETS,USERNAME,ACCTOUTPUTOCTETS,ACCTSTATUSTYPE,ACCTSESSIONID,TIME_STAMP) values (1234,1000,0,20000,'dev1',30000,'Stop','00001234',1051109253)

Wed Apr 23 09:47:33 2003: DEBUG: Handling with Radius::AuthLDAP2: LDAP
Wed Apr 23 09:47:33 2003: DEBUG: Accounting accepted
Wed Apr 23 09:47:33 2003: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 33027 ....
Code:       Accounting-Response
Identifier: 20
Authentic:  <173>l<218>A<135>I<212>V<142><14><254><5><140>3Y<142>
Attributes:

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.