(RADIATOR) radiator 3.11 + Windows 2003 AD

Hugh Irvine hugh at open.com.au
Fri Jan 28 17:59:18 CST 2005 

Hello Bob -

I am reasonably sure that Radiator must run as a user with 
administrator priveleges, and the AuthDN and AuthPassword must be an 
administrator.

regards

Hugh


On 29 Jan 2005, at 04:33, Bob Smith wrote:

>
> i'm trying to convince radiator to use AD as an authentication source. 
> when i use radpwtst to test radiator i end up with 
> LDAP_INVALID_CREDENTIALS errors. i have tested every possible 
> combination i have defined for AuthDN with ldapsearch and they all 
> work.
>
> for AuthDN i have tried:
>
>  CN=Radiator (Pseudo-User),OU=Proxy Users,DC=some,DC=place
>  CN=Radiator (Pseudo-User),CN=Proxy Users,DC=some,DC=place
>  radiator at some.place
>  CN=%U,OU=Staff Users,DC=some,DC=place
>  %U at some.place
>
> the first three were using a proxy account created just for radiator, 
> the last two were to bind as the user attempting to authenticate. when 
> using the last two entries i set AuthPassword to %P. i'm hoping to not 
> have to give radiator domain admin rights, i'm not sure what the best 
> was to achieve this is.
>
> i have also tried hitting AD via both ports 389 and 3268.
>
>
> i made minimal changes to the sample ad-ldap.cfg and now have:
>
> Foreground
> LogStdout
> LogDir          .
> DbDir           .
> Trace           4
>
> <Client DEFAULT>
>        Secret  mysecret
>        DupInterval 0
> </Client>
>
> <Realm DEFAULT>
>        <AuthBy LDAP2>
>                Host            oslo.some.place
>                Port 3268
>
>                AuthDN "CN=Radiator (Pseudo-User),OU=Proxy 
> Users,DC=some,DC=place"
> #               AuthDN "radiator at some.place"
>                AuthPassword    "q1w2e3r4T%"
>                BaseDN          "ou=Staff Users,DC=some,DC=place"
>                ServerChecksPassword
>                UsernameAttr sAMAccountName
>
>                AuthAttrDef logonHours,MS-Login-Hours,check
>        </AuthBy>
> </Realm>
>
>
> the errors i'm getting look like:
>
> Fri Jan 28 09:26:08 2005: DEBUG: Finished reading configuration file 
> 'goodies/test.cfg'
> This Radiator license will expire on 2005-04-01
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your license period, contact admin at open.com.au
>
> Fri Jan 28 09:26:08 2005: DEBUG: Reading dictionary file './dictionary'
> Fri Jan 28 09:26:08 2005: DEBUG: Creating authentication port 
> 0.0.0.0:1645
> Fri Jan 28 09:26:08 2005: DEBUG: Creating accounting port 0.0.0.0:1646
> Fri Jan 28 09:26:08 2005: NOTICE: Server started: Radiator 3.11 on 
> dibbler (LOCKED)
>
> Fri Jan 28 09:26:15 2005: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 34429 ....
> Code:       Access-Request
> Identifier: 104
> Authentic:  1234567890123456
> Attributes:
>        User-Name = "fred"
>        Service-Type = Framed-User
>        NAS-IP-Address = 203.63.154.1
>        NAS-Port = 1234
>        Called-Station-Id = "123456789"
>        Calling-Station-Id = "987654321"
>        NAS-Port-Type = Async
>        User-Password = 
> "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
>
> Fri Jan 28 09:26:15 2005: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
> Fri Jan 28 09:26:15 2005: DEBUG:  Deleting session for fred, 
> 203.63.154.1, 1234
> Fri Jan 28 09:26:15 2005: DEBUG: Handling with Radius::AuthLDAP2:
> Fri Jan 28 09:26:15 2005: INFO: Connecting to oslo.some.place, port 
> 3268
> Fri Jan 28 09:26:15 2005: INFO: Attempting to bind to LDAP server 
> oslo.some.place:3268
> Fri Jan 28 09:26:15 2005: ERR: Could not bind connection with 
> "radiator at some.place", "q1w2e3r4T%", error: LDAP_INVALID_CREDENTIALS 
> (server oslo.some.place:3268).
> Fri Jan 28 09:26:15 2005: ERR: Backing off from oslo.some.place:3268 
> for 600 seconds.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list