(RADIATOR) radiator 3.11 + Windows 2003 AD

Bob Smith b_smith44 at hotmail.com
Fri Jan 28 11:33:09 CST 2005 

i'm trying to convince radiator to use AD as an authentication source. when 
i use radpwtst to test radiator i end up with LDAP_INVALID_CREDENTIALS 
errors. i have tested every possible combination i have defined for AuthDN 
with ldapsearch and they all work.

for AuthDN i have tried:

  CN=Radiator (Pseudo-User),OU=Proxy Users,DC=some,DC=place
  CN=Radiator (Pseudo-User),CN=Proxy Users,DC=some,DC=place
  radiator at some.place
  CN=%U,OU=Staff Users,DC=some,DC=place
  %U at some.place

the first three were using a proxy account created just for radiator, the 
last two were to bind as the user attempting to authenticate. when using the 
last two entries i set AuthPassword to %P. i'm hoping to not have to give 
radiator domain admin rights, i'm not sure what the best was to achieve this 
is.

i have also tried hitting AD via both ports 389 and 3268.


i made minimal changes to the sample ad-ldap.cfg and now have:

Foreground
LogStdout
LogDir          .
DbDir           .
Trace           4

<Client DEFAULT>
        Secret  mysecret
        DupInterval 0
</Client>

<Realm DEFAULT>
        <AuthBy LDAP2>
                Host            oslo.some.place
                Port 3268

                AuthDN "CN=Radiator (Pseudo-User),OU=Proxy 
Users,DC=some,DC=place"
#               AuthDN "radiator at some.place"
                AuthPassword    "q1w2e3r4T%"
                BaseDN          "ou=Staff Users,DC=some,DC=place"
                ServerChecksPassword
                UsernameAttr sAMAccountName

                AuthAttrDef logonHours,MS-Login-Hours,check
        </AuthBy>
</Realm>


the errors i'm getting look like:

Fri Jan 28 09:26:08 2005: DEBUG: Finished reading configuration file 
'goodies/test.cfg'
This Radiator license will expire on 2005-04-01
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your license period, contact admin at open.com.au

Fri Jan 28 09:26:08 2005: DEBUG: Reading dictionary file './dictionary'
Fri Jan 28 09:26:08 2005: DEBUG: Creating authentication port 0.0.0.0:1645
Fri Jan 28 09:26:08 2005: DEBUG: Creating accounting port 0.0.0.0:1646
Fri Jan 28 09:26:08 2005: NOTICE: Server started: Radiator 3.11 on dibbler 
(LOCKED)

Fri Jan 28 09:26:15 2005: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 34429 ....
Code:       Access-Request
Identifier: 104
Authentic:  1234567890123456
Attributes:
        User-Name = "fred"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = 
"<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"

Fri Jan 28 09:26:15 2005: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Fri Jan 28 09:26:15 2005: DEBUG:  Deleting session for fred, 203.63.154.1, 
1234
Fri Jan 28 09:26:15 2005: DEBUG: Handling with Radius::AuthLDAP2:
Fri Jan 28 09:26:15 2005: INFO: Connecting to oslo.some.place, port 3268
Fri Jan 28 09:26:15 2005: INFO: Attempting to bind to LDAP server 
oslo.some.place:3268
Fri Jan 28 09:26:15 2005: ERR: Could not bind connection with 
"radiator at some.place", "q1w2e3r4T%", error: LDAP_INVALID_CREDENTIALS (server 
oslo.some.place:3268).
Fri Jan 28 09:26:15 2005: ERR: Backing off from oslo.some.place:3268 for 600 
seconds.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list