(RADIATOR) ldap search problem

Mike McCauley mikem at open.com.au
Mon Jun 20 19:42:25 CDT 2005


Hello Simon,


On Monday 20 June 2005 21:54, Simon Merckx wrote:
> Hi,
>
> I have configured radiator to do an ldap search on a Novell ldap server.
> When there are two usernames who begin with the same part (for example
> testadmin and test), it returns the first match it finds. So if the
> username should be test, radiator matches testadmin if that is the username
> it first finds in the ldap database. This is unwanted behavior. Is there an
> option to correct this? There seems to be nothing wrong with the Novell
> server.

That is very odd.
We have not seen that behaviour with other LDAP servers. We would expect to 
see an exact match against the cn, not a leading substring match. See for 
example the doc at 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/search_filter_syntax.asp
and RFC 1960

You may want to confirm that behaviour with ldapsearch, using something like 
this:

ldapsearch -h abc.vjz -b 'o=lan' '(cn=test)'

I suspect this will turn out to be an LDAP server configuration issue.

Cheers.

>
> my ldap config:
>
> <AuthBy LDAP2>
> 		# Tell Radiator how to talk to the LDAP server
> 		#Host		localhost
> 		Host		abc.vjz
> 		# You will only need these if your LDAP server
> 		# requires authentication. These are the examples
> 		# in a default OpenLDAP installation
> 		# see /etc/openldap/slapd.conf
> 		#AuthDN		cn=Manager, dc=example, dc=com
> 		#AuthPassword	secret
>
> 		# This the top of the search tree where users
> 		# will be found. It should match the configuration
> 		# of your server, see /etc/openldap/slapd.conf
> 		#BaseDN		dc=example, dc=com
> 		BaseDN		o=lan
>
> 		# This is the LDAP attribute to match the radius user name
> 		#UsernameAttr	cn
> 		UsernameAttr	cn
>
> 		# If you dont specify ServerChecksPassword, you
> 		# need to tell Radiator wjhich attribute contains
> 		# the password. It can be plaintext or encrypted
> 		#EncryptedPasswordAttr    userPassword
> 		#PasswordAttr	password
> 		ServerChecksPassword 1
>
> 		# You can use CheckAttr, ReplyAttr and AuthAttrDef
> 		# to specify check and reply attributes in the LDAP
> 		# database. See the reference manual for more
> 		# information
> 		#AuthAttrDef ipaddress,Framed-IP-Address,reply
>
> 		# These are the classic things to add to each users
> 		# reply to allow a PPP dialup session. It may be
> 		# different for your NAS. This will add some
> 		# reply items to everyone's reply
> #		AddToReply Framed-Protocol = PPP,\
> #        		Framed-IP-Netmask = 255.255.255.255,\
> #        		Framed-Routing = None,\
> #        		Framed-MTU = 1500,\
> #			Framed-Compression = Van-Jacobson-TCP-IP
>
> 		# You can enable debugging of the Net::LDAP
> 		# module with this:
> 		#Debug 255
>
> 		# With LDAP2, You can enable SSL or TLS with perl-ldap 0.22 and better
> 		# by setting UseSSL or UseTLS. Not supported on Windows
> 		#UseSSL
> 		# UseTLS
> 		# If you set UseSSL or UseTLS, also need to set these:
> 		#SSLCAClientCert certificates/cert-clt.pem
> 		#SSLCAClientKey whatever
> 		#  (certificates in PEM format)
> 		# Also need to set one of:
> 		#SSLCAFile certificates/demoCA/cacert.pem
> 		# SSLCAPath /path/to/file/containing/certificate/of/CA
> 		#  (certificates in PEM format)
> 		# These set the corresponding parameters in the
> 		# LDAPS connection (see perl-ldap docs)
> 		# Requires IO::Socket::SSL, Net::SSLeay and openssl
>
> 		# You can control the timout for connection failure,
> 		# plus the backoff time after failure. Timout defaults
> 		# to 10 secs and FailureBackoffTime to 10 mins
> 		# Timeout 2
> 		# FailureBackoffTime 10
>
> 		# With PostSearchHook you can do your own processing
> 		# of the LDAP data.
> 		# Arg 0 is the AuthBy LDAP object
> 		# Arg 1 is the user name being authenticated
> 		# Arg 2 is the received request packet
> 		# Arg 3 is the user object holding check and reply
> 		#  items for this user
> 		# Arg 4 is the search results handle, whose type
> 		#   depends on whether its LDAP, LDAP2, or LDAPSDK
> 		#PostSearchHook sub {print "PostSearchHook @_\n";\
> 		#	my $attr = $_[4]->get('someldapattr');\
> 		#	print "get attribute $attr\n";}
>
> 		# You can control the LDAP protocol version to be used
> 		# to talk to the LDAP server. OpenLDAP 2 requires
> 		# Version 3 unless you have 'allow bind_v2' in your
> 		# slapd.conf. Defaults to version 2
> 		Version 3
> 	</AuthBy>
>
>
> regards,
>
> Simon
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list