(RADIATOR) LDAP ISSUES
Phil Ershler
ershler at cvrti.utah.edu
Thu Sep 30 13:09:56 CDT 2004
Hi,
I am trying to get Radiator to authenticate against LDAP and Open
Directory on an OS X server. Here's what my config file looks like at
this point.
# opendirectory.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with
# OpenDirectory LDAP.
#
# Open Directory stores passwords in a proprietary encrypted format
# and therfore requires the new ServerChecksPassword parameter
#
# This example works with the example DemoCorp directory provided
# with OpenDirectory. You will need to edit the "Cosine User Id"
# and "User Password" for users in the DemoCorp directory whom
# you want to authenticate. The config will look for the user name
# matching "Cosine User Id", so use your DXplorer or similar to
# set "Cosine User Id" to be your dialup user name, and
# "User Pasword" to be the dialup password.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# You should consider this file to be a starting point only
# $Id: opendirectory.cfg,v 1.1 2000/02/15 07:12:00 mikem Exp $
Foreground
LogStdout
LogDir .
DbDir .
AuthPort 1812
AcctPort
# You will probably want to change this to suit your site.
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
<Realm DEFAULT>
<AuthBy LDAP2>
# Open Directory has proprietary encrypted passwords
# so we must get the server to check them.
ServerChecksPassword
Host aaa.bbb.ccc.ddd address obscured to
protect the accused
BaseDN cn=users,dc=cvrti,dc=utah,dc=edu
UsernameAttr uid
# Open Directory is happy with multiple requests
# on one connection
HoldServerConnection
# You can use CheckAttr, ReplyAttr and AuthAttrDef
# to specify check and reply attributes int eh LDAP
# database. See the reference manual for more
# information
# These are the classic things to add to each users
# reply to allow a PPP dialup session. It may be
# different for your NAS. This will add some
# reply items to everyone's reply
AddToReply Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP
# You can enable debugging of the Net::LDAP
# module with this:
Debug 255
</AuthBy>
# Log accounting to the detail file in LogDir
AcctLogFileName ./detail
</Realm>
And here is the debug information that I am getting back. It looks to
me like the LDAP system doesn't like the HASHed information it is
getting. I'm not enough of a "perl head" to know how to fix this issue.
Thanks for any and all information,
Phil
Net::LDAP=HASH(0x9a3258) sending:
30 0C 02 01 01 60 07 02 01 02 04 00 80 00 __ __ 0....`........
0000 12: SEQUENCE {
0002 1: INTEGER = 1
0005 7: [APPLICATION 0] {
0007 1: INTEGER = 2
000A 0: STRING = ''
000C 0: [CONTEXT 0]
000E : }
000E : }
Net::LDAP=HASH(0x9a3258) received:
30 32 02 01 01 61 2D 0A 01 02 04 00 04 26 72 65 02...a-......&re
71 75 65 73 74 65 64 20 70 72 6F 74 6F 63 6F 6C quested protocol
20 76 65 72 73 69 6F 6E 20 6E 6F 74 20 61 6C 6C version not all
6F 77 65 64 __ __ __ __ __ __ __ __ __ __ __ __ owed
0000 50: SEQUENCE {
0002 1: INTEGER = 1
0005 45: [APPLICATION 1] {
0007 1: ENUM = 2
000A 0: STRING = ''
000C 38: STRING = 'requested protocol version not allowed'
0034 : }
0034 : }
Thu Sep 30 09:57:43 2004: ERR: Could not bind connection with , ,
error: LDAP_PROTOCOL_ERROR (server aaa.bbb.ccc.ddd:389)
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list