(RADIATOR) Radiator 3.11 and Novell eDirectory

Hugh Irvine hugh at open.com.au
Mon Feb 28 22:02:41 CST 2005


Hello Campbell -

Many LDAP servers do not support persistent connections - this is why  
the Radiator default behaviour is to reconnect for every request.

For the Perl problem you should run radiusd like this so you can see  
what happens:

	perl radiusd -foreground -log_stdout -trace 4 -config_file ....

regards

Hugh


On 28 Feb 2005, at 21:44, Campbell Simpson wrote:

> Hi
>
> I was wondering if anyone out there has had some experience getting  
> Radiator to talk LDAP to Novell eDirectory? I currently have two  
> problems and I hope someone out there has come across them before.
>
> First up is the situation where an authentication request is made  
> against an invalid user name or realm. For some reason no response is  
> received from the LDAP server (according to radiator). The Novell guy  
> I'm working with tells me that eDirectory logs an entry saying "no  
> such entry" and when he uses his CLI ldap tool to query the directory  
> it comes back with "object not found". Radiator however reports that  
> it's trying to connect to the ldap server and the authentication  
> requests times out. I'm wondering if this could be a perl-ldap module  
> problem?? As a result of this radiusd dies after every time I try to  
> authenticate a non existant user.
>
> Example of trace
>
> *** Received from 127.0.0.1 port 33062 ....
> Code:       Access-Request
> Identifier: 193
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "remoteworkrr1 at vpntest.co.nz"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password =  
> "<151><228>)<200><195>01<246><188>8<9><160><216>}x<153>"
>
> Tue Mar  1 09:32:29 2005: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Tue Mar  1 09:32:29 2005: DEBUG: Rewrote user name to remoteworkrr1
> Tue Mar  1 09:32:29 2005: DEBUG:  Deleting session for  
> remoteworkrr1 at vpntest.co.nz, 203.63.154.1, 1234
> Tue Mar  1 09:32:29 2005: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Mar  1 09:32:29 2005: INFO: Connecting to 146.171.39.80, port 389
> Tue Mar  1 09:32:29 2005: INFO: Attempting to bind to LDAP server  
> 146.171.39.80:389)
>
>
> My config file is:
>
> # radius2.cfg
> #
> # Configuration file for radius server
> #
> # Author: Mike McCauley (mikem at open.com.au)
> # Copyright (C) 1997 Open System Consultants
> # $Id: radius2.cfg,v 1.6 1999/07/14 05:28:50 mikem Exp $
> #
> AuthPort 1645
> AcctPort 1646
>
> # Set this to the directory where your logfile and details file are to  
> go
> LogDir /opt/radiator/log
> DictionaryFile /opt/radiator/dictionary
> Trace 4
>
> # Set this to the database directory. It should contain these files:
> # users           The user database
> # dictionary      The dictionary for your NAS
> #DbDir /usr/local/etc/raddb
>
> # ipnetproxy1
> <Client 192.168.0.33>
>         Secret   metta
> </Client>
>
> # ipnetproxy2
> <Client 192.168.0.34>
>         Secret   metta
> </Client>
>
> # ipnetproxy3
> <Client 192.168.0.35>
>         Secret   metta
> </Client>
>
> # For testing: this allows us to honour requests from radpwtst
> # on the same host.
> <Client localhost>
>         Secret mysecret
>         DupInterval 0
> </Client>
>
> <AuthLog FILE>
>         Identifier myauthlogger
>         Filename %L/authlog
>         LogSuccess 1
>         LogFailure 1
> </AuthLog>
>
> <Realm DEFAULT>
>         RewriteUsername s/^([^@]+).*/$1/
>         AcctLogFileName %L/accounting.%W
>         WtmpFileName %L/wtmp.%W
>         PasswordLogFileName %L/auth.%W
>
>         <AuthBy LDAP2>
>                 Host    146.171.39.80
>                 Port    389
> #                HoldServerConnection
>                 ServerChecksPassword
>                 BaseDN   
> cn=%1,ou=%W,ou=external,ou=customers,ou=Views,o=META
>                 Scope   base
>                 AuthDN  cn=THRRadius,o=META
>                 AuthPassword    xxxxx
>                 PasswordAttr    userpassword
>                 AuthAttrDef     groupMembership,GENERIC,reply
>                 AuthAttrDef     aaareply,GENERIC,reply
> #                CheckAttr       aaacheck
>                 Version 3
>                 Debug 255
>                 NoDefault
>
>                 # This is the LDAP attribute to match the radius user  
> name
>                 UsernameAttr   uid
>                 AddToReply  Framed-Protocol = PPP,Service-Type =  
> Framed,NAS-Port
> -Type=%{NAS-Port-Type},NAS-IP-Address=%{NAS-IP-Address}
>
>         </AuthBy>
> </Realm>
>
> My second problem is I can't seem to hold open the LDAP server  
> connection. I had to comment out "HoldServerConnection". Any idea how  
> to set up eDirectory so that it will keep the LDAP connection alive?
>
> Thanks
>
> Campbell Simpson
> Solutions Development
> Alcatel New Zealand Ltd
> +64 07 8345781 +64 027 4467723
> Campbell.Simpson at alcatel.co.nz
>
>
> --  
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.300 / Virus Database: 266.5.2 - Release Date: 28/02/2005
>
>
> ----------------------------------------------------------------------- 
> -------
> "This communication, including any attachments, is confidential.
> If you are not the intended recipient, you should not read
> it - please contact me immediately, destroy it, and do not
> copy or use any part of this communication or disclose
> anything about it. Thank you. Please note that this
> communication does not designate an information system for
>  the purposes of the Electronic Transactions Act 2002."
> ----------------------------------------------------------------------- 
> -------
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: I am travelling this week, so there may be delays in our  
correspondence.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list