(RADIATOR) Radiator and LDAP performance

Mike McCauley mikem at open.com.au
Wed Mar 2 19:02:47 CST 2005 

Hello Campbell,


On Thursday 03 March 2005 09:18, Campbell Simpson wrote:
> Hi people,
>
> I've got a working radiator config that's talking LDAP to Novell
> eDirectory. Now I'm looking at how efficient the LDAP authentication
> process is and this is where I need some advice. It looks to me that this
> is the only proper way to authenticate a user, the problem however is that
> it requires two binds per authentication request which will obviously have
> an effect on performance. It also seems to me that 'ServerChecksPassword'
> and 'HoldServerConnection' are mutually exclusive flags.
>
> First up Radiator needs to be authenticated against the LDAP directory
> before it can search for the user. So I have an AuthDN and AuthPassword
> set. Radiator then searches for the username with a custom search filter
> and gets the contents of the aaareply LDAP attribute. As Novell implement
> proprietary encryption for the user password I need to use the
> 'ServerChecksPassword' flag. This means there needs to be a second bind
> done on the username and password to confirm the correct password.

I note that Novell have published a method for getting the 'Universal 
Password' for a user from eDirectory.

I wonder if it would be possible for you to expose a test eDirectory port for 
us so we can test some code for accessing the Universal Password?

Cheers.

>
> So the question is is there a way to perform this authentication using only
> a single bind?
>
> Although eDirextory does support persistent connections (according to
> Novell) I can't get it working with the 'HoldServerConnection' flag. Should
> this flag work if the 'ServerChecksPassword' is set as well? As it's doing
> a bind then search then another bind to the user then it seems to me this
> can't work?? When I run a packet debug I see the two binds occurring but
> then radiator sends an unbind request. This all occurs over the same LDAP
> connection so it seems to be that when you set 'ServerChecksPassword' then
> radiator will always send and unbind request for the LDAP session even
> though 'HoldServerConnection' is set.
>
> See below packet capture, this is with 'HoldServerConnection' and
> 'ServerChecksPassword' set:
>
> thr2 -> 146.171.39.80 LDAP C port=33189 Bind Request
> 146.171.39.80 -> thr2         LDAP R port=33189 Bind Response Success
> thr2 -> 146.171.39.80 LDAP C port=33189 Search Request derefFindingBaseObj
> 146.171.39.80 -> thr2         LDAP R port=33189 Search ResDone Success
> thr2 -> 146.171.39.80 LDAP C port=33189 Bind Request
> 146.171.39.80 -> thr2         LDAP R port=33189 Bind Response Success
> thr2 -> 146.171.39.80 LDAP C port=33189 Unbind Request
>
> Here's my config:
>
> <Realm DEFAULT>
>         PreAuthHook file:"/opt/radiator/realmprefix.pl"
>         RewriteUsername s/\@ip\w\./\@/
>         AcctLogFileName %L/accounting.%R
>         WtmpFileName %L/wtmp.%R
>         PasswordLogFileName %L/auth.%R
>
>         <AuthBy LDAP2>
>                 Host    146.171.39.80
>                 Port    389
> #                HoldServerConnection
>                 ServerChecksPassword
>                 SearchFilter
> (&(groupMembership=cn=%{GlobalVar:access},ou=servic
> es,ou=THR,ou=Applications,ou=spec,ou=customers,ou=Views,o=META) (uid=%U))
> BaseDN  cn=%U,ou=%R,ou=external,ou=customers,ou=Views,o=META Scope   base
>                 AuthDN  cn=THRRadius,o=META
>                 AuthPassword    xxxx
>                 AuthAttrDef     aaareply,GENERIC,reply
>                 Version 3
>                 Debug 255
>                 NoDefault
>
>                 # This is the LDAP attribute to match the radius user name
>                 UsernameAttr   uid
>                 AddToReply  Framed-Protocol = PPP,Service-Type =
> Framed,NAS-Port -Type=%{NAS-Port-Type},NAS-IP-Address=%{NAS-IP-Address}
>
>         </AuthBy>
> </Realm>
>
> Any thoughts?
>
> Thanks
>
> Campbell

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list