(RADIATOR) AUTHBY LDAP2
Hugh Irvine
hugh at open.com.au
Fri Apr 2 01:46:07 CST 2004
Hello Stephen -
OK - in that case you should roll your own SearchFilter to do what you
require.
See section 6.35.15 in the manual.
regards
Hugh
On 2 Apr 2004, at 17:25, Stephen Ollis wrote:
> Hugh,
>
> Ah that would be one component that I left out of the e-mail.
> RADIATOR is running on a separate Linux system.
>
> Regards,
>
> Steve Ollis
>
>> -----Original Message-----
>> From: Hugh Irvine [mailto:hugh at open.com.au]
>> Sent: Friday, 2 April 2004 5:18 PM
>> To: Stephen Ollis
>> Cc: radiator at open.com.au
>> Subject: Re: (RADIATOR) AUTHBY LDAP2
>>
>>
>> Hello Stephen -
>>
>> If you are running on Windows I would suggest either AuthBy
>> ADSI or AuthBy LSA.
>>
>> See sections 6.40 and 6.49 in the Radiator 3.9 reference
>> manual ("doc/ref.html").
>>
>> regards
>>
>> Hugh
>>
>>
>> On 2 Apr 2004, at 16:27, Stephen Ollis wrote:
>>
>>> Hi List..
>>>
>>> I'm in the process of evaluation Radiator for a replacement of the
>>> cursed MS radius server.
>>>
>>> I want to re-use Active Directory as the authentication store for
>>> Radiator. This works fine.
>>> I have Security Groups configured to limit access to
>> certain resources.
>>>
>>> With the BaseDN to OU=Staff,OU=Technology
>> Services,DC=hillsong,DC=net
>>> lets me authenticate correctly. Changing the BaseDN to
>> point to the
>>> relevant security group, ie CN=All Hills Dialup Access,OU=Security
>>> Groups,OU=Servers,DC=hillsong,DC=net
>>> fails.
>>>
>>>
>>>
>>> Foreground
>>> LogStdout
>>> LogDir .
>>> DbDir .
>>> # User a lower trace level in production systems:
>>> Trace 9
>>>
>>> # You will probably want to add other Clients to suit your
>> site, # one
>>> for each NAS you want to work with <Client DEFAULT>
>>> Secret mysecret
>>> DupInterval 0
>>> </Client>
>>>
>>> <Realm DEFAULT>
>>> <AuthBy LDAP2>
>>> Host hcdc.hillsong.net
>>> Version 3
>>>
>>> # Microsoft AD also listens on port 3268, and
>>> # requests received on that port are reported to be
>>> # more compliant with standfard LDAP, so
>> you may want
>>> to use:
>>> # Port 3268
>>>
>>> AuthDN CN=AdminAccount,OU=Staff,OU=Technology
>>> Services,DC=hillsong,DC=net
>>> AuthPassword passowrd-removed
>>> BaseDN OU=Staff,OU=Technology
>>> Services,DC=hillsong,DC=net # WORKS!! BaseDN
>>> OU=Staff,OU=Technology Services,DC=hillsong,DC=net # WORKS!!
>>> BaseDN DC=hillsong,DC=net # DOESN'T! BaseDN
>>> CN=All Hills Wireless Access,OU=Security
>>> Groups,OU=Servers,DC=hillsong,DC=net
>>> ServerChecksPassword
>>> UsernameAttr sAMAccountName
>>> AuthAttrDef logonHours,MS-Login-Hours,check
>>> AcctLogFileName ./detail </Realm>
>>>
>>>
>>>
>>> Fri Apr 2 16:25:51 2004: DEBUG: Packet dump:
>>> *** Received from 127.0.0.1 port 40318 ....
>>>
>>> Packet length = 99
>>> 01 24 00 63 31 32 33 34 35 36 37 38 39 30 31 32
>>> 33 34 35 36 01 0f 73 74 65 70 68 65 6e 2e 6f 6c 6c 69 73 06
>> 06 00 00
>>> 00 02 04 06 cb 3f 9a 01 05
>>> 06 00 00 04 d2 1e 0b 31 32 33 34 35 36 37 38 39 1f 0b 39 38
>> 37 36 35
>>> 34 33 32 31 3d 06 00 00 00 00 02 12 c8 ed 36 c3 ca 38 65 8f
>> bc 38 09
>>> a0 d8 7d 78 99
>>> Code: Access-Request
>>> Identifier: 36
>>> Authentic: 1234567890123456
>>> Attributes:
>>> User-Name = "stephen.ollis"
>>> Service-Type = Framed-User
>>> NAS-IP-Address = 203.63.154.1
>>> NAS-Port = 1234
>>> Called-Station-Id = "123456789"
>>> Calling-Station-Id = "987654321"
>>> NAS-Port-Type = Async
>>> User-Password =
>>> "<200><237>6<195><202>8e<143><188>8<9><160><216>}x<153>"
>>>
>>> Fri Apr 2 16:25:51 2004: DEBUG: Handling request with Handler
>>> 'Realm=DEFAULT'
>>> Fri Apr 2 16:25:51 2004: DEBUG: Deleting session for
>> stephen.ollis,
>>> 203.63.154.1, 1234 Fri Apr 2 16:25:51 2004: DEBUG: Handling with
>>> Radius::AuthLDAP2:
>>> Fri Apr 2 16:25:51 2004: INFO: Connecting to
>> hcdc.hillsong.net, port
>>> 389
>>> Fri Apr 2 16:25:51 2004: INFO: Attempting to bind to LDAP server
>>> hcdc.hillsong.net:389)
>>> Fri Apr 2 16:25:51 2004: DEBUG: No entries for
>> stephen.ollis found in
>>> LDAP database Fri Apr 2 16:25:51 2004: DEBUG:
>> Radius::AuthLDAP2 looks
>>> for match with stephen.ollis Fri Apr 2 16:25:51 2004: INFO:
>>> Connecting to hcdc.hillsong.net, port
>>> 389
>>> Fri Apr 2 16:25:51 2004: INFO: Attempting to bind to LDAP server
>>> hcdc.hillsong.net:389)
>>> Fri Apr 2 16:25:51 2004: DEBUG: No entries for DEFAULT
>> found in LDAP
>>> database Fri Apr 2 16:25:51 2004: INFO: Access rejected for
>>> stephen.ollis: No such user Fri Apr 2 16:25:51 2004: DEBUG: Packet
>>> dump:
>>> *** Sending to 127.0.0.1 port 40318 ....
>>>
>>> Packet length = 36
>>> 03 24 00 24 e2 a5 cc 30 76 b4 d7 12 7f 78 43 26 ee b6 51 65
>> 12 10 52
>>> 65 71 75 65 73 74 20 44 65 6e 69 65 64
>>> Code: Access-Reject
>>> Identifier: 36
>>> Authentic: 1234567890123456
>>> Attributes:
>>> Reply-Message = "Request Denied"
>>>
>>> Fri Apr 2 16:25:51 2004: DEBUG: Packet dump:
>>> *** Received from 127.0.0.1 port 40318 ....
>>>
>>> Packet length = 103
>>> 04 25 00 67 95 ed ae 14 5a ea 17 7f 97 2f 82 da 4a c9 57 07
>> 01 0f 73
>>> 74 65 70 68 65 6e 2e 6f 6c 6c 69 73 06 06 00 00 00 02 04 06
>> cb 3f 9a
>>> 01 05
>>> 06 00 00 04 d2 3d 06 00 00 00 00 2c 0a 30 30 30 30 31 32 33
>> 34 28 06
>>> 00 00 00 01 1e 0b 31 32 33
>>> 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34 33 32
>>> 31 29 06 00 00 00 00
>>> Code: Accounting-Request
>>> Identifier: 37
>>> Authentic:
>>> <149><237><174><20>Z<234><23><127><151>/<130><218>J<201>W<7>
>>> Attributes:
>>> User-Name = "stephen.ollis"
>>> Service-Type = Framed-User
>>> NAS-IP-Address = 203.63.154.1
>>> NAS-Port = 1234
>>> NAS-Port-Type = Async
>>> Acct-Session-Id = "00001234"
>>> Acct-Status-Type = Start
>>> Called-Station-Id = "123456789"
>>> Calling-Station-Id = "987654321"
>>> Acct-Delay-Time = 0
>>>
>>> Fri Apr 2 16:25:51 2004: DEBUG: Handling request with Handler
>>> 'Realm=DEFAULT'
>>> Fri Apr 2 16:25:51 2004: DEBUG: Adding session for stephen.ollis,
>>> 203.63.154.1, 1234 Fri Apr 2 16:25:51 2004: DEBUG: Handling with
>>> Radius::AuthLDAP2:
>>> Fri Apr 2 16:25:51 2004: DEBUG: Accounting accepted Fri Apr 2
>>> 16:25:51 2004: DEBUG: Packet dump:
>>> *** Sending to 127.0.0.1 port 40318 ....
>>>
>>> Packet length = 20
>>> 05 25 00 14 17 3d 77 c6 4f 1a 4c 49 7e 53 14 e5
>>> 04 49 1d 75
>>> Code: Accounting-Response
>>> Identifier: 37
>>> Authentic:
>>> <149><237><174><20>Z<234><23><127><151>/<130><218>J<201>W<7>
>>> Attributes:
>>>
>>> Fri Apr 2 16:25:51 2004: DEBUG: Packet dump:
>>> *** Received from 127.0.0.1 port 40318 ....
>>>
>>> Packet length = 121
>>> 04 26 00 79 86 83 91 37 85 3d 22 cc 6a ce bb 7e
>>> 41 35 b8 00 01 0f 73 74 65 70 68 65 6e 2e 6f 6c 6c 69 73 06
>> 06 00 00
>>> 00 02 04 06 cb 3f 9a 01 05
>>> 06 00 00 04 d2 3d 06 00 00 00 00 2c 0a 30 30 30 30 31 32 33
>> 34 28 06
>>> 00 00 00 02 1e 0b 31 32 33
>>> 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34 33 32
>>> 31 29 06 00 00 00 00 2e 06 00 00 03 e8 2a 06 00 00 4e 20 2b
>> 06 00 00
>>> 75 30
>>> Code: Accounting-Request
>>> Identifier: 38
>>> Authentic: <134><131><145>7<133>="<204>j<206><187>~A5<184><0>
>>> Attributes:
>>> User-Name = "stephen.ollis"
>>> Service-Type = Framed-User
>>> NAS-IP-Address = 203.63.154.1
>>> NAS-Port = 1234
>>> NAS-Port-Type = Async
>>> Acct-Session-Id = "00001234"
>>> Acct-Status-Type = Stop
>>> Called-Station-Id = "123456789"
>>> Calling-Station-Id = "987654321"
>>> Acct-Delay-Time = 0
>>> Acct-Session-Time = 1000
>>> Acct-Input-Octets = 20000
>>> Acct-Output-Octets = 30000
>>>
>>> Fri Apr 2 16:25:51 2004: DEBUG: Handling request with Handler
>>> 'Realm=DEFAULT'
>>> Fri Apr 2 16:25:51 2004: DEBUG: Deleting session for
>> stephen.ollis,
>>> 203.63.154.1, 1234 Fri Apr 2 16:25:51 2004: DEBUG: Handling with
>>> Radius::AuthLDAP2:
>>> Fri Apr 2 16:25:51 2004: DEBUG: Accounting accepted Fri Apr 2
>>> 16:25:51 2004: DEBUG: Packet dump:
>>> *** Sending to 127.0.0.1 port 40318 ....
>>>
>>> Packet length = 20
>>> 05 26 00 14 34 df f7 5b d6 4f ee 2e 0f df fa 63
>>> e2 96 bd 88
>>> Code: Accounting-Response
>>> Identifier: 38
>>> Authentic: <134><131><145>7<133>="<204>j<206><187>~A5<184><0>
>>> Attributes:
>>>
>>>
>>> Thanks
>>>
>>> Stephen Ollis
>>> Manager, Technology Services
>>>
>>>
>>>
>>>
>>>
>>> The material contained in this email may be confidential,
>> and may also
>>> be the subject of copyright and/or privileged information.
>> If you are
>>> not the intended recipient, any use, disclosure or copying of this
>>> document is prohibited. If you have received this document
>> in error,
>>> please advise the sender and delete the document.
>>>
>>> This email communication does not create or vary any contractual
>>> relationship between Hillsong Church and you. Internet
>> communications
>>> are not secure and accordingly Hillsong Church does not accept any
>>> legal liability for the contents of this message.
>>>
>>> Please note that neither Hillsong Church nor the sender accepts any
>>> responsibility for viruses and it is your responsibility to
>> scan the
>>> email and any attachments.
>>>
>>> Hillsong Church
>>> www.hillsong.com
>>> Hillsong Church contact details
>>> <image.tiff>
>>>
>>
>> NB: have you included a copy of your configuration file (no
>> secrets), together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS
>> server anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical,
>> extensible, flexible with hardware, software, platform and
>> database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>>
>
> _______________________________________________________________________
> _
>
> The material contained in this email may be confidential, and may also
> be the subject of copyright and/or privileged information. If you are
> not the intended recipient, any use, disclosure or copying of this
> document is prohibited. If you have received this document in error,
> please advise the sender and delete the document.
>
> This email communication does not create or vary any contractual
> relationship between Hillsong Church and you. Internet communications
> are not secure and accordingly Hillsong Church does not accept any
> legal liability for the contents of this message.
>
> Please note that neither Hillsong Church nor the sender accepts any
> responsibility for viruses and it is your responsibility to scan the
> email and any attachments.
>
> Hillsong Church
> www.hillsong.com
>
> _______________________________________________________________________
> _
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list