(RADIATOR) Auth-Type and LDAP

Hugh Irvine hugh at open.com.au
Mon Jan 27 18:39:36 CST 2003 

Hello Enrique -

You can use whatever LDAP attribute name you wish, and if you use the 
"Auth-Type = nnnnnnn" format for the value of the attribute you can use 
a GENERIC check item to refer the authentication to another AuthBy 
clause.

Something like this:

# define AuthBy clauses

<AuthBy SYSTEM>
	Identifier CheckSystem
	....
</AuthBy>

<AuthBy RADIUS>
	Identifier ForwardToProxy
	.....
</AuthBy>

<AuthBy ACE>
	Identifier CheckAce
	.....
</AuthBy>

<AuthBy LDAP2>
	Identifier CheckLDAP
	.....
	AuthAttrDef authTypeObject, GENERIC, check
	.....
</AuthBy>

.....

# define Realms or Handlers

<Handler ....>
	AuthBy CheckLDAP
	......
</AuthBy>

.....


Then each of the user records in the LDAP database would contain 
something like this in the authTypeObject field:

	Auth-Type = CheckSystem

or

	Auth-Type = ForwardToProxy

or

	Auth-Type = CheckAce

Hope that helps.

regards

Hugh


On Tuesday, Jan 28, 2003, at 00:24 Australia/Melbourne, Enrique Diez 
wrote:

> Hi All,
> I would like to know if there is an LDAP-Attribute (customized or
> standarized) in order to define the kind of authentication required 
> for an
> user entry.
> For example, a user LDAP entry can be validated by the Radiator Radius
> Server via /etc/unix/password or a remote radius or ACE/SERVER 
> according to
> the value of an "Auth-type" LDAP attribute.
> Another question is : where can I get the perl script for installing 
> the
> Authen-ACE module? I would like to test interoperability with 
> ACE/SERVER.
>
> Can I get some help from this marvellous mailing list:))
>
> Regards,
> Enrique
>
> -----Mensaje original-----
> De: Enrique Diez Fernandez [mailto:enrique.diez at dvc.es]
> Enviado el: viernes, 24 de enero de 2003 20:03
> Para: radiator at open.com.au
> Asunto:
>
> Hi All,
> I am trying to configure my radiator radius server in order to check 
> an ldap
> entry and verify an attribute of that server.
> I want to check if the attribute "authmethod" value is "ace" or 
> "none". In
> case of "ace", I want the server to reject the authentication request.
> The configuration of the server is below:
> "       <AuthBy LDAP2>
>                 Host            192.168.70.134
>                 Port            389
>                 AuthDN cn=Directory Manager
> #               AuthPassword    yourADadminpasswordhere
>                 AuthPassword    qwerty123
>                 BaseDN          ou=area3,o=davinci,st=Madrid,c=es
>                 UsernameAttr uid
>                 PasswordAttr userPassword
>                 AuthAttrDef     authmethod,NO-ACE-Server,check
>         </AuthBy>
> ".
>
> I have added to the user config file the line :
>  DEFAULT NO-ACE-Server = "none".
>
> I have added to the "Check items" in the dictionary file the following 
> line:
> " ATTRIBUTE     NO-ACE-Server           90480019        string"
>
> When I tried to access, with the user = Albertoj which authmethod 
> value =
> ace, I would like to get an accept-request response from the radius 
> but I
> got the following debug:
> " Code:       Access-Request
> Identifier: 2
> Authentic:        1043434427
> Attributes:
>         User-Name = "albertoj"
>         User-Password =
> "oPW<204><169><11>1f<23>=<164><26><29><224><182><179>"
>
> Fri Jan 24 19:53:47 2003: DEBUG: Handling request with Handler 'Realm='
> Fri Jan 24 19:53:47 2003: DEBUG:  Deleting session for albertoj,
> 192.168.70.11
>
> Fri Jan 24 19:53:47 2003: DEBUG: Handling with Radius::AuthLDAP2:
> Fri Jan 24 19:53:47 2003: INFO: Connecting to 192.168.70.134, port 389
> Fri Jan 24 19:53:47 2003: INFO: Attempting to bind with cn=Directory
> Manager,
> erty123 (server 192.168.70.134:389)
> Fri Jan 24 19:53:47 2003: DEBUG: LDAP got result for cn=Alberto
> Juarez,ou=area
> o=davinci,st=Madrid,c=es
> Fri Jan 24 19:53:47 2003: DEBUG: LDAP got userPassword:
> {SSHA}VpP5xc7VlLwrp0mF
> 5kaCC6eGPuPU8wq34ffw==
> Fri Jan 24 19:53:47 2003: DEBUG: LDAP got authmethod: ace
> Fri Jan 24 19:53:47 2003: DEBUG: Radius::AuthLDAP2 looks for match with
> albert
>
> Fri Jan 24 19:53:47 2003: DEBUG: Radius::AuthLDAP2 REJECT: Check item
> NO-ACE-S
> ver expression 'ace' does not match '' in request
> Fri Jan 24 19:53:47 2003: INFO: Connecting to 192.168.70.134, port 389
> Fri Jan 24 19:53:47 2003: INFO: Attempting to bind with cn=Directory
> Manager,
> erty123 (server 192.168.70.134:389)
> Fri Jan 24 19:53:47 2003: DEBUG: No entries for DEFAULT found in LDAP
> database
> Fri Jan 24 19:53:47 2003: INFO: Access rejected for albertoj: Check 
> item
> NO-AC
> Server expression 'ace' does not match '' in request
> Fri Jan 24 19:53:47 2003: DEBUG: Packet dump:
> *** Sending to 192.168.70.116 port 1221 ....
> Code:       Access-Reject
> Identifier: 2
> Authentic:        1043434427
> Attributes:
>         Reply-Message = "Request Denied""
>
>
> Is there anything I am missing?
>
> Any documentation about the LDAP documentation checks?
>
> Regards,
> Enrique
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list