(RADIATOR) ldap search problem
Mike McCauley
mikem at open.com.au
Mon Jun 20 19:42:25 CDT 2005
Hello Simon,
On Monday 20 June 2005 21:54, Simon Merckx wrote:
> Hi,
>
> I have configured radiator to do an ldap search on a Novell ldap server.
> When there are two usernames who begin with the same part (for example
> testadmin and test), it returns the first match it finds. So if the
> username should be test, radiator matches testadmin if that is the username
> it first finds in the ldap database. This is unwanted behavior. Is there an
> option to correct this? There seems to be nothing wrong with the Novell
> server.
That is very odd.
We have not seen that behaviour with other LDAP servers. We would expect to
see an exact match against the cn, not a leading substring match. See for
example the doc at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/search_filter_syntax.asp
and RFC 1960
You may want to confirm that behaviour with ldapsearch, using something like
this:
ldapsearch -h abc.vjz -b 'o=lan' '(cn=test)'
I suspect this will turn out to be an LDAP server configuration issue.
Cheers.
>
> my ldap config:
>
> <AuthBy LDAP2>
> # Tell Radiator how to talk to the LDAP server
> #Host localhost
> Host abc.vjz
> # You will only need these if your LDAP server
> # requires authentication. These are the examples
> # in a default OpenLDAP installation
> # see /etc/openldap/slapd.conf
> #AuthDN cn=Manager, dc=example, dc=com
> #AuthPassword secret
>
> # This the top of the search tree where users
> # will be found. It should match the configuration
> # of your server, see /etc/openldap/slapd.conf
> #BaseDN dc=example, dc=com
> BaseDN o=lan
>
> # This is the LDAP attribute to match the radius user name
> #UsernameAttr cn
> UsernameAttr cn
>
> # If you dont specify ServerChecksPassword, you
> # need to tell Radiator wjhich attribute contains
> # the password. It can be plaintext or encrypted
> #EncryptedPasswordAttr userPassword
> #PasswordAttr password
> ServerChecksPassword 1
>
> # You can use CheckAttr, ReplyAttr and AuthAttrDef
> # to specify check and reply attributes in the LDAP
> # database. See the reference manual for more
> # information
> #AuthAttrDef ipaddress,Framed-IP-Address,reply
>
> # These are the classic things to add to each users
> # reply to allow a PPP dialup session. It may be
> # different for your NAS. This will add some
> # reply items to everyone's reply
> # AddToReply Framed-Protocol = PPP,\
> # Framed-IP-Netmask = 255.255.255.255,\
> # Framed-Routing = None,\
> # Framed-MTU = 1500,\
> # Framed-Compression = Van-Jacobson-TCP-IP
>
> # You can enable debugging of the Net::LDAP
> # module with this:
> #Debug 255
>
> # With LDAP2, You can enable SSL or TLS with perl-ldap 0.22 and better
> # by setting UseSSL or UseTLS. Not supported on Windows
> #UseSSL
> # UseTLS
> # If you set UseSSL or UseTLS, also need to set these:
> #SSLCAClientCert certificates/cert-clt.pem
> #SSLCAClientKey whatever
> # (certificates in PEM format)
> # Also need to set one of:
> #SSLCAFile certificates/demoCA/cacert.pem
> # SSLCAPath /path/to/file/containing/certificate/of/CA
> # (certificates in PEM format)
> # These set the corresponding parameters in the
> # LDAPS connection (see perl-ldap docs)
> # Requires IO::Socket::SSL, Net::SSLeay and openssl
>
> # You can control the timout for connection failure,
> # plus the backoff time after failure. Timout defaults
> # to 10 secs and FailureBackoffTime to 10 mins
> # Timeout 2
> # FailureBackoffTime 10
>
> # With PostSearchHook you can do your own processing
> # of the LDAP data.
> # Arg 0 is the AuthBy LDAP object
> # Arg 1 is the user name being authenticated
> # Arg 2 is the received request packet
> # Arg 3 is the user object holding check and reply
> # items for this user
> # Arg 4 is the search results handle, whose type
> # depends on whether its LDAP, LDAP2, or LDAPSDK
> #PostSearchHook sub {print "PostSearchHook @_\n";\
> # my $attr = $_[4]->get('someldapattr');\
> # print "get attribute $attr\n";}
>
> # You can control the LDAP protocol version to be used
> # to talk to the LDAP server. OpenLDAP 2 requires
> # Version 3 unless you have 'allow bind_v2' in your
> # slapd.conf. Defaults to version 2
> Version 3
> </AuthBy>
>
>
> regards,
>
> Simon
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list