(RADIATOR) Radiator doesn't bind to LDAP

Mike McCauley mikem at open.com.au
Mon Feb 13 16:17:12 CST 2006


Hello David,

On Tuesday 14 February 2006 07:45, David Felipe Rios Rojas wrote:
> I'm testing Radiator for first time, but I'm a little confused because
> an error message when it try binding to LDAP server; I use LDAP
> superuser account just to try it.

That certainly looks confusing. It looks like the LDAP bind is failing, but I 
cant tell why yet.

Are you able to connect to your LDAP server using the LDAP command line tools 
like ldapsearch etc? 

What platform are you on, and which LDAP server? 

What do you see on stdout if you run Radiator with the Debug parameter enabled 
inside your AuthBy LDAP2? 

What version of perl-ldap are you using?

Cheers.


>
> Next is my config file; it was made based on sample configuration file
> provided and several items are not configured yet because I just want to
> test LDAP binding first.
>
> Here we go:
>
> ##################################################################
> Foreground
>
> LogStdout
>
> Trace		4
>
> PidFile		/tmp/radiusd.pid
>
> AuthPort	1645
>
> AcctPort	1646
>
> LogFile		%L/%Y-%m-%d_logfile
> LogDir		/var/log/radius
>
> DbDir		.
>
> DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.ascend
>
> User radius
> Group radius
>
> <Client DEFAULT>
> 	Secret	mysecret
> 	DupInterval 0
> 	DefaultRealm ldap.realm
> 	StatusServerShowClientDetails
> </Client>
>
>
> <Realm DEFAULT>
> 	RewriteUsername	s/^([^@]+).*/$1/
> 	MaxSessions	2
> 	AcctLogFileName	%L/detail
> 	WtmpFileName %L/wtmp
> 	PasswordLogFileName %L/password.log
> 	RejectHasReason
>
> 	<AuthBy FILE>
> 		Filename	/etc/radiator/users
> 		DynamicReply USR-IP-Input-Filter
> 		DynamicCheck Group
> 		UseAddressHint
> 		AddToReply Reply-Message=hello
> 		AddToReplyIfNotExist Ascend-Data-Filter="ip in forward tcp est"
> 		DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP
> 		RejectEmptyPassword
> 		AutoMPPEKeys
> 		EAPType MD5-Challenge
> 	</AuthBy>
>
> 	<AuthBy GROUP>
> 		AuthByPolicy ContinueUntilAccept
> 		AddToReply Reply-Message=xxxx
> 		<AuthBy FILE>
> 			Filename users
> 		</AuthBy>
> 		<AuthBy FILE>
> 			Filename users
> 		</AuthBy>
> 	</AuthBy>
>
> </Realm>
>
> <Realm unix.realm>
> 	RewriteUsername	s/^([^@]+).*/$1/
>
> 	<AuthBy UNIX>
> 		Identifier System
> 		DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP
> 	</AuthBy>
> </Realm>
>
>
> <Realm system.realm>
> 	RewriteUsername	s/^([^@]+).*/$1/
> </Realm>
>
>
> <Realm ldap.realm>
> 	<AuthBy LDAP2>
> 		Host		xxxxxx
> 		Port		389
> 		AuthDN		cn=root
> 		AuthPassword	xxxxxx
> 		BaseDN		(&(%0=%1,ou=xxxxx,o=xxxxx)(radiusloginservice=E))
> 		UsernameAttr	uid
> 		PasswordAttr    userPassword
> 	</AuthBy>
> </Realm>
>
>
>
> <Realm external.realm>
> 	RewriteUsername	s/^([^@]+).*/$1/
> 	<AuthBy EXTERNAL>
> 		Command perl ./goodies/testcommand.pl
> 		DecryptPassword
> 	</AuthBy>
> </Realm>
>
> <Realm internal.realm>
> 	<AuthBy INTERNAL>
> 		DefaultResult	accept
> 	</AuthBy>
> </Realm>
>
>
> <Realm mobileip.realm>
> 	RewriteUsername	s/^([^@]+).*/$1/
> 	<AuthBy FILE>
> 		Filename	./users
> 	</AuthBy>
> 	<AuthBy MOBILEIP>
> 		DefaultHAAddress 192.10.10.2
> 	</AuthBy>
> </Realm>
>
>
> <AuthBy FILE>
> 	Identifier identifier1
> </AuthBy>
>
>
> <Realm xyz>
> 	AuthBy identifier1
> </Realm>
> ##################################################################
>
>
> And this is output debug after "perl radpwtst -user driosr -password pass"
> is execute:
>
> ##################################################################
> Fri Feb 10 07:45:26 2006: DEBUG: Reading group file /etc/group
> Fri Feb 10 07:45:27 2006: DEBUG: Finished reading configuration file
> '/etc/radiator/radius.cfg' This Radiator license will expire on 2006-07-01
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your license period, contact admin at open.com.au
>
> Fri Feb 10 07:45:27 2006: DEBUG: Reading dictionary file
> '/etc/radiator/dictionary' Fri Feb 10 07:45:28 2006: DEBUG: Reading
> dictionary file '/etc/radiator/dictionary.ascend' Fri Feb 10 07:45:28 2006:
> DEBUG: Creating authentication port 0.0.0.0:1645 Fri Feb 10 07:45:28 2006:
> DEBUG: Creating accounting port 0.0.0.0:1646 Fri Feb 10 07:45:28 2006:
> NOTICE: Server started: Radiator 3.14 on XXXX(LOCKED) Fri Feb 10 07:46:16
> 2006: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 33466 ....
> Code:       Access-Request
> Identifier: 211
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "driosr"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Identifier = "203.63.154.1"
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password =
> <137><234>,<222><175>\<4><246><188>8<9><160><216>}x<153>
>
> Fri Feb 10 07:46:17 2006: DEBUG: Handling request with Handler
> 'Realm=ldap.realm' Fri Feb 10 07:46:17 2006: DEBUG:  Deleting session for
> driosr, 203.63.154.1, 1234 Fri Feb 10 07:46:17 2006: DEBUG: Handling with
> Radius::AuthLDAP2:
> Fri Feb 10 07:46:17 2006: INFO: Connecting to XXXX:389
> Fri Feb 10 07:46:17 2006: INFO: Attempting to bind to LDAP server XXXX:389
> Fri Feb 10 07:46:17 2006: ERR: Could not bind connection with cn=root,
> xxxx, error: LDAP error code -1(0xFFFFFFFF) (server XXXX:389). Fri Feb 10
> 07:46:17 2006: ERR: Backing off from XXXX:389 for 600 seconds. Fri Feb 10
> 07:46:17 2006: DEBUG: AuthBy LDAP2 result: IGNORE, User database access
> error Fri Feb 10 07:46:22 2006: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 33466 ....
> Code:       Accounting-Request
> Identifier: 212
> Authentic:  .<16>t<179>;<188><213>L<151><182><131>L<144>p<159><245>
> Attributes:
>         User-Name = "driosr"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Identifier = "203.63.154.1"
>         NAS-Port = 1234
>         NAS-Port-Type = Async
>         Acct-Session-Id = "00001234"
>         Acct-Status-Type = Start
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         Acct-Delay-Time = 0
>
> Fri Feb 10 07:46:22 2006: DEBUG: Handling request with Handler
> 'Realm=ldap.realm' Fri Feb 10 07:46:22 2006: DEBUG:  Adding session for
> driosr, 203.63.154.1, 1234 Fri Feb 10 07:46:22 2006: DEBUG: Handling with
> Radius::AuthLDAP2:
> Fri Feb 10 07:46:22 2006: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Fri Feb 10 07:46:22 2006: DEBUG: Accounting accepted
> Fri Feb 10 07:46:22 2006: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 33466 ....
> Code:       Accounting-Response
> Identifier: 212
> Authentic:  .<16>t<179>;<188><213>L<151><182><131>L<144>p<159><245>
> Attributes:
>
> Fri Feb 10 07:46:22 2006: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 33466 ....
> Code:       Accounting-Request
> Identifier: 213
> Authentic:  4f<127><151><175><206><15><9>uq<149><22>&_<238>M
> Attributes:
>         User-Name = "driosr"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Identifier = "203.63.154.1"
>         NAS-Port = 1234
>         NAS-Port-Type = Async
>         Acct-Session-Id = "00001234"
>         Acct-Status-Type = Stop
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         Acct-Delay-Time = 0
>         Acct-Session-Time = 1000
>         Acct-Input-Octets = 20000
>         Acct-Output-Octets = 30000
>
> Fri Feb 10 07:46:22 2006: DEBUG: Handling request with Handler
> 'Realm=ldap.realm' Fri Feb 10 07:46:22 2006: DEBUG:  Deleting session for
> driosr, 203.63.154.1, 1234 Fri Feb 10 07:46:22 2006: DEBUG: Handling with
> Radius::AuthLDAP2:
> Fri Feb 10 07:46:22 2006: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Fri Feb 10 07:46:22 2006: DEBUG: Accounting accepted
> Fri Feb 10 07:46:22 2006: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 33466 ....
> Code:       Accounting-Response
> Identifier: 213
> Authentic:  4f<127><151><175><206><15><9>uq<149><22>&_<238>M
> Attributes:
> ##################################################################
>
>
> And this is the output to "perl radpwtst -user driosr -password pass"
> command:
>
> ##################################################################
> sending Access-Request...
> No reply
> sending Accounting-Request Start...
> OK
> sending Accounting-Request Stop...
> OK
> ##################################################################
>
>
> Could you help me?
>
> Thanks in advance.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list