(RADIATOR) LDAP ISSUES

Mike McCauley mikem at open.com.au
Thu Sep 30 17:19:49 CDT 2004 

Hello Phil,


On Friday 01 October 2004 04:09, Phil Ershler wrote:
> Hi,
> 	I am trying to get Radiator to authenticate against LDAP and Open
> Directory on an OS X server. Here's what my config file looks like at
> this point.

The default LDAP protocol that Radiator uses is version 2. OpenLDAP 2.x and 
others will probably require you to add

	Version 3

to your AuthBy LDAP

Hope that helps.

Cheers.

>
>
> # opendirectory.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # OpenDirectory LDAP.
> #
> # Open Directory stores passwords in a proprietary encrypted format
> # and therfore requires the new ServerChecksPassword parameter
> #
> # This example works with the example DemoCorp directory provided
> # with OpenDirectory. You will need to edit the "Cosine User Id"
> # and "User Password" for users in the DemoCorp directory whom
> # you want to authenticate. The config will look for the user name
> # matching "Cosine User Id", so use your DXplorer or similar to
> # set "Cosine User Id" to be your dialup user name, and
> # "User Pasword" to be the dialup password.
> #
> # See radius.cfg for more complete examples of features and
> # syntax, and refer to the reference manual for a complete description
> # of all the features and syntax.
> #
> # You should consider this file to be a starting point only
> # $Id: opendirectory.cfg,v 1.1 2000/02/15 07:12:00 mikem Exp $
>
> Foreground
> LogStdout
> LogDir          .
> DbDir           .
> AuthPort 1812
> AcctPort
> # You will probably want to change this to suit your site.
> <Client DEFAULT>
>          Secret  mysecret
>          DupInterval 0
> </Client>
>
> <Realm DEFAULT>
>          <AuthBy LDAP2>
>                  # Open Directory has proprietary encrypted passwords
>                  # so we must get the server to check them.
>                  ServerChecksPassword
>
>                  Host            aaa.bbb.ccc.ddd 	address obscured to
> protect the accused
>                  BaseDN          cn=users,dc=cvrti,dc=utah,dc=edu
>                  UsernameAttr    uid
>
>                  # Open Directory is happy with multiple requests
>                  # on one connection
>                  HoldServerConnection
>
>                  # You can use CheckAttr, ReplyAttr and AuthAttrDef
>                  # to specify check and reply attributes int eh LDAP
>                  # database. See the reference manual for more
>                  # information
>
>                  # These are the classic things to add to each users
>                  # reply to allow a PPP dialup session. It may be
>                  # different for your NAS. This will add some
>                  # reply items to everyone's reply
>                  AddToReply Framed-Protocol = PPP,\
>                          Framed-IP-Netmask = 255.255.255.255,\
>                          Framed-Routing = None,\
>                          Framed-MTU = 1500,\
>                          Framed-Compression = Van-Jacobson-TCP-IP
>
>                  # You can enable debugging of the Net::LDAP
>                  # module with this:
>                  Debug 255
>          </AuthBy>
>          # Log accounting to the detail file in LogDir
>          AcctLogFileName ./detail
> </Realm>
>
> And here is the debug information that I am getting back. It looks to
> me like the LDAP system doesn't like the HASHed information it is
> getting. I'm not enough of a "perl head" to know how to fix this issue.
>
> Thanks for any and all information,
>
> Phil
>
> Net::LDAP=HASH(0x9a3258) sending:
>
> 30 0C 02 01 01 60 07 02 01 02 04 00 80 00 __ __ 0....`........
>
> 0000   12: SEQUENCE {
> 0002    1:   INTEGER = 1
> 0005    7:   [APPLICATION 0] {
> 0007    1:     INTEGER = 2
> 000A    0:     STRING = ''
> 000C    0:     [CONTEXT 0]
> 000E     :   }
> 000E     : }
> Net::LDAP=HASH(0x9a3258) received:
>
> 30 32 02 01 01 61 2D 0A 01 02 04 00 04 26 72 65 02...a-......&re
> 71 75 65 73 74 65 64 20 70 72 6F 74 6F 63 6F 6C quested protocol
> 20 76 65 72 73 69 6F 6E 20 6E 6F 74 20 61 6C 6C  version not all
> 6F 77 65 64 __ __ __ __ __ __ __ __ __ __ __ __ owed
>
> 0000   50: SEQUENCE {
> 0002    1:   INTEGER = 1
> 0005   45:   [APPLICATION 1] {
> 0007    1:     ENUM = 2
> 000A    0:     STRING = ''
> 000C   38:     STRING = 'requested protocol version not allowed'
> 0034     :   }
> 0034     : }
> Thu Sep 30 09:57:43 2004: ERR: Could not bind connection with , ,
> error: LDAP_PROTOCOL_ERROR (server aaa.bbb.ccc.ddd:389)
>
>
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list