(RADIATOR) 'Bad Password' error on authentication with LDAP (iPlanet)
judy
jdba03 at yahoo.com
Thu Nov 18 18:36:13 CST 2004
Hi all,
I installed Radiator 3.11 on a linux (RH9) box and tried to configured it to authenticate users through LDAP server (iPlanet on solaris server). We used NTRadPing as the testing tool.
Initially we could successfully authenticate users from local user file; then we changed the radius.cfg to test connection to LDAP server. But we failed with some problem related to password (that was plain-text and sent from Radius to ldap server), no matter we configured radius.cfg by using 'PasswordAttr' or 'EncryptedPasswordAttr'). Accually, our ldap password are in the form of {crypt}xxxxxxxxx -- so we're supposed to use 'PasswordAttr' as specified in the reference manual. I checked the name fields like 'userPassword' are matching the ones in ldap.
-------------------------------------
Errors in Radius's log file:
-------------------------------------
...
Thu Nov 18 16:58:31 2004: INFO: Connecting to ldap, port 123
Thu Nov 18 16:58:31 2004: INFO: Attempting to bind to LDAP server ldap:123)
Thu Nov 18 16:58:31 2004: INFO: Access rejected for judy: Bad Password
Thu Nov 18 18:23:24 2004: NOTICE: SIGTERM received: stopping
Thu Nov 18 18:23:31 2004: NOTICE: Server started: Radiator 3.11 on xxx
Thu Nov 18 18:23:59 2004: INFO: Connecting to ldap, port 123
Thu Nov 18 18:23:59 2004: INFO: Attempting to bind to LDAP server ldap:123)
Thu Nov 18 18:23:59 2004: INFO: Access rejected for judy: Bad Encrypted password
-----------------------------------------------------------
info in the access error log file on ldap:
-----------------------------------------------------------
showing the failed access records with host and user information
---------------------
Raduis.cfg file:
---------------------
...
LogDir /var/log/radius
DbDir /etc/radiator
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace 3
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
<Realm DEFAULT>
<AuthBy LDAP2>
AuthDN uid=admin,o=ourcompany,c=US
AuthPassword adminpswd
BaseDN o=ourcompany, c=US
Host ldapsvr
NoDefault
PasswordAttr userPassword
UsernameAttr uid
Port 389
SearchFilter (&(uid=%{User-Name})(employeeType=CURRENT))
Debug 255
</AuthBy>
# Log accounting to a detail file
AcctLogFileName %L/detail
</Realm>
Thanks for any feedback in advance,
Judy
---------------------------------
Do you Yahoo!?
The all-new My Yahoo! Get yours free!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20041118/a0db1fd6/attachment.html>
More information about the radiator
mailing list