(RADIATOR) Radiator 3.11 and Novell eDirectory

Jim Michael JMichael at chesterfield.mo.us
Tue Mar 1 08:42:40 CST 2005 

Hi Campbell-

Yes, we are successfully using Radiator against Novell eDirectory here. We do not see the issue you describe when authenticaing a "bad" user. Here, Radiator simply rejects the user and waits for another authentication attempt. 


Jim
>>> "Campbell Simpson" <Campbell.Simpson2 at telecom.co.nz> 2/28/2005 2:44:40 PM >>>
Hi

I was wondering if anyone out there has had some experience getting Radiator to talk LDAP to Novell eDirectory? I currently have two problems and I hope someone out there has come across them before.

First up is the situation where an authentication request is made against an invalid user name or realm. For some reason no response is received from the LDAP server (according to radiator). The Novell guy I'm working with tells me that eDirectory logs an entry saying "no such entry" and when he uses his CLI ldap tool to query the directory it comes back with "object not found". Radiator however reports that it's trying to connect to the ldap server and the authentication requests times out. I'm wondering if this could be a perl-ldap module problem?? As a result of this radiusd dies after every time I try to authenticate a non existant user.

Example of trace

*** Received from 127.0.0.1 port 33062 ....
Code:       Access-Request
Identifier: 193
Authentic:  1234567890123456
Attributes:
        User-Name = "remoteworkrr1 at vpntest.co.nz"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = "<151><228>)<200><195>01<246><188>8<9><160><216>}x<153>"

Tue Mar  1 09:32:29 2005: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Tue Mar  1 09:32:29 2005: DEBUG: Rewrote user name to remoteworkrr1
Tue Mar  1 09:32:29 2005: DEBUG:  Deleting session for remoteworkrr1 at vpntest.co.nz, 203.63.154.1, 1234
Tue Mar  1 09:32:29 2005: DEBUG: Handling with Radius::AuthLDAP2:
Tue Mar  1 09:32:29 2005: INFO: Connecting to 146.171.39.80, port 389
Tue Mar  1 09:32:29 2005: INFO: Attempting to bind to LDAP server 146.171.39.80:389)


My config file is:

# radius2.cfg
#
# Configuration file for radius server
#
# Author: Mike McCauley (mikem at open.com.au)
# Copyright (C) 1997 Open System Consultants
# $Id: radius2.cfg,v 1.6 1999/07/14 05:28:50 mikem Exp $
#
AuthPort 1645
AcctPort 1646

# Set this to the directory where your logfile and details file are to go
LogDir /opt/radiator/log
DictionaryFile /opt/radiator/dictionary
Trace 4

# Set this to the database directory. It should contain these files:
# users           The user database
# dictionary      The dictionary for your NAS
#DbDir /usr/local/etc/raddb

# ipnetproxy1
<Client 192.168.0.33>
        Secret   metta
</Client>

# ipnetproxy2
<Client 192.168.0.34>
        Secret   metta
</Client>

# ipnetproxy3
<Client 192.168.0.35>
        Secret   metta
</Client>

# For testing: this allows us to honour requests from radpwtst
# on the same host.
<Client localhost>
        Secret mysecret
        DupInterval 0
</Client>

<AuthLog FILE>
        Identifier myauthlogger
        Filename %L/authlog
        LogSuccess 1
        LogFailure 1
</AuthLog>

<Realm DEFAULT>
        RewriteUsername s/^([^@]+).*/$1/ 
        AcctLogFileName %L/accounting.%W
        WtmpFileName %L/wtmp.%W
        PasswordLogFileName %L/auth.%W

        <AuthBy LDAP2>
                Host    146.171.39.80
                Port    389
#                HoldServerConnection
                ServerChecksPassword
                BaseDN  cn=%1,ou=%W,ou=external,ou=customers,ou=Views,o=META
                Scope   base
                AuthDN  cn=THRRadius,o=META
                AuthPassword    xxxxx
                PasswordAttr    userpassword
                AuthAttrDef     groupMembership,GENERIC,reply
                AuthAttrDef     aaareply,GENERIC,reply
#                CheckAttr       aaacheck
                Version 3
                Debug 255
                NoDefault

                # This is the LDAP attribute to match the radius user name
                UsernameAttr   uid
                AddToReply  Framed-Protocol = PPP,Service-Type = Framed,NAS-Port
-Type=%{NAS-Port-Type},NAS-IP-Address=%{NAS-IP-Address}

        </AuthBy>
</Realm>

My second problem is I can't seem to hold open the LDAP server connection. I had to comment out "HoldServerConnection". Any idea how to set up eDirectory so that it will keep the LDAP connection alive?

Thanks

Campbell Simpson
Solutions Development
Alcatel New Zealand Ltd
+64 07 8345781 +64 027 4467723
Campbell.Simpson at alcatel.co.nz 


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.5.2 - Release Date: 28/02/2005
 

------------------------------------------------------------------------------
"This communication, including any attachments, is confidential. 
If you are not the intended recipient, you should not read
it - please contact me immediately, destroy it, and do not
copy or use any part of this communication or disclose
anything about it. Thank you. Please note that this 
communication does not designate an information system for
 the purposes of the Electronic Transactions Act 2002."
------------------------------------------------------------------------------

--
Archive at http://www.open.com.au/archives/radiator/ 
Announcements on radiator-announce at open.com.au 
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list