(RADIATOR) Radiator doesn't bind to LDAP
Hugh Irvine
hugh at open.com.au
Tue Feb 14 22:36:43 CST 2006
Hello David -
I think the AuthBy LDAP 2 configuration is incorrect.
Try this instead:
<Realm ldap.realm>
<AuthBy LDAP2>
Host xxxxxx
Port 389
AuthDN root
AuthPassword xxxxxx
BaseDN ou=xxxxx,o=xxxxx
SearchFilter (&(%0=%1)(radiusloginservice=E))
UsernameAttr uid
PasswordAttr userPassword
</AuthBy>
</Realm>
hope that helps
regards
Hugh
On 14 Feb 2006, at 08:45, David Felipe Rios Rojas wrote:
> I'm testing Radiator for first time, but I'm a little confused because
> an error message when it try binding to LDAP server; I use LDAP
> superuser account just to try it.
>
> Next is my config file; it was made based on sample configuration file
> provided and several items are not configured yet because I just
> want to
> test LDAP binding first.
>
> Here we go:
>
> ##################################################################
> Foreground
>
> LogStdout
>
> Trace 4
>
> PidFile /tmp/radiusd.pid
>
> AuthPort 1645
>
> AcctPort 1646
>
> LogFile %L/%Y-%m-%d_logfile
> LogDir /var/log/radius
>
> DbDir .
>
> DictionaryFile /etc/radiator/dictionary,/etc/radiator/
> dictionary.ascend
>
> User radius
> Group radius
>
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> DefaultRealm ldap.realm
> StatusServerShowClientDetails
> </Client>
>
>
> <Realm DEFAULT>
> RewriteUsername s/^([^@]+).*/$1/
> MaxSessions 2
> AcctLogFileName %L/detail
> WtmpFileName %L/wtmp
> PasswordLogFileName %L/password.log
> RejectHasReason
>
> <AuthBy FILE>
> Filename /etc/radiator/users
> DynamicReply USR-IP-Input-Filter
> DynamicCheck Group
> UseAddressHint
> AddToReply Reply-Message=hello
> AddToReplyIfNotExist Ascend-Data-Filter="ip in forward tcp est"
> DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP
> RejectEmptyPassword
> AutoMPPEKeys
> EAPType MD5-Challenge
> </AuthBy>
>
> <AuthBy GROUP>
> AuthByPolicy ContinueUntilAccept
> AddToReply Reply-Message=xxxx
> <AuthBy FILE>
> Filename users
> </AuthBy>
> <AuthBy FILE>
> Filename users
> </AuthBy>
> </AuthBy>
>
> </Realm>
>
> <Realm unix.realm>
> RewriteUsername s/^([^@]+).*/$1/
>
> <AuthBy UNIX>
> Identifier System
> DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP
> </AuthBy>
> </Realm>
>
>
> <Realm system.realm>
> RewriteUsername s/^([^@]+).*/$1/
> </Realm>
>
>
> <Realm ldap.realm>
> <AuthBy LDAP2>
> Host xxxxxx
> Port 389
> AuthDN cn=root
> AuthPassword xxxxxx
> BaseDN (&(%0=%1,ou=xxxxx,o=xxxxx)(radiusloginservice=E))
> UsernameAttr uid
> PasswordAttr userPassword
> </AuthBy>
> </Realm>
>
>
>
> <Realm external.realm>
> RewriteUsername s/^([^@]+).*/$1/
> <AuthBy EXTERNAL>
> Command perl ./goodies/testcommand.pl
> DecryptPassword
> </AuthBy>
> </Realm>
>
> <Realm internal.realm>
> <AuthBy INTERNAL>
> DefaultResult accept
> </AuthBy>
> </Realm>
>
>
> <Realm mobileip.realm>
> RewriteUsername s/^([^@]+).*/$1/
> <AuthBy FILE>
> Filename ./users
> </AuthBy>
> <AuthBy MOBILEIP>
> DefaultHAAddress 192.10.10.2
> </AuthBy>
> </Realm>
>
>
> <AuthBy FILE>
> Identifier identifier1
> </AuthBy>
>
>
> <Realm xyz>
> AuthBy identifier1
> </Realm>
> ##################################################################
>
>
> And this is output debug after "perl radpwtst -user driosr -
> password pass" is execute:
>
> ##################################################################
> Fri Feb 10 07:45:26 2006: DEBUG: Reading group file /etc/group
> Fri Feb 10 07:45:27 2006: DEBUG: Finished reading configuration
> file '/etc/radiator/radius.cfg'
> This Radiator license will expire on 2006-07-01
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your license period, contact admin at open.com.au
>
> Fri Feb 10 07:45:27 2006: DEBUG: Reading dictionary file '/etc/
> radiator/dictionary'
> Fri Feb 10 07:45:28 2006: DEBUG: Reading dictionary file '/etc/
> radiator/dictionary.ascend'
> Fri Feb 10 07:45:28 2006: DEBUG: Creating authentication port
> 0.0.0.0:1645
> Fri Feb 10 07:45:28 2006: DEBUG: Creating accounting port 0.0.0.0:1646
> Fri Feb 10 07:45:28 2006: NOTICE: Server started: Radiator 3.14 on
> XXXX(LOCKED)
> Fri Feb 10 07:46:16 2006: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 33466 ....
> Code: Access-Request
> Identifier: 211
> Authentic: 1234567890123456
> Attributes:
> User-Name = "driosr"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password = <137><234>,<222><175>
> \<4><246><188>8<9><160><216>}x<153>
>
> Fri Feb 10 07:46:17 2006: DEBUG: Handling request with Handler
> 'Realm=ldap.realm'
> Fri Feb 10 07:46:17 2006: DEBUG: Deleting session for driosr,
> 203.63.154.1, 1234
> Fri Feb 10 07:46:17 2006: DEBUG: Handling with Radius::AuthLDAP2:
> Fri Feb 10 07:46:17 2006: INFO: Connecting to XXXX:389
> Fri Feb 10 07:46:17 2006: INFO: Attempting to bind to LDAP server
> XXXX:389
> Fri Feb 10 07:46:17 2006: ERR: Could not bind connection with
> cn=root, xxxx, error: LDAP error code -1(0xFFFFFFFF) (server XXXX:
> 389).
> Fri Feb 10 07:46:17 2006: ERR: Backing off from XXXX:389 for 600
> seconds.
> Fri Feb 10 07:46:17 2006: DEBUG: AuthBy LDAP2 result: IGNORE, User
> database access error
> Fri Feb 10 07:46:22 2006: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 33466 ....
> Code: Accounting-Request
> Identifier: 212
> Authentic: .<16>t<179>;<188><213>L<151><182><131>L<144>p<159><245>
> Attributes:
> User-Name = "driosr"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> NAS-Port-Type = Async
> Acct-Session-Id = "00001234"
> Acct-Status-Type = Start
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> Acct-Delay-Time = 0
>
> Fri Feb 10 07:46:22 2006: DEBUG: Handling request with Handler
> 'Realm=ldap.realm'
> Fri Feb 10 07:46:22 2006: DEBUG: Adding session for driosr,
> 203.63.154.1, 1234
> Fri Feb 10 07:46:22 2006: DEBUG: Handling with Radius::AuthLDAP2:
> Fri Feb 10 07:46:22 2006: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Fri Feb 10 07:46:22 2006: DEBUG: Accounting accepted
> Fri Feb 10 07:46:22 2006: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 33466 ....
> Code: Accounting-Response
> Identifier: 212
> Authentic: .<16>t<179>;<188><213>L<151><182><131>L<144>p<159><245>
> Attributes:
>
> Fri Feb 10 07:46:22 2006: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 33466 ....
> Code: Accounting-Request
> Identifier: 213
> Authentic: 4f<127><151><175><206><15><9>uq<149><22>&_<238>M
> Attributes:
> User-Name = "driosr"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> NAS-Port-Type = Async
> Acct-Session-Id = "00001234"
> Acct-Status-Type = Stop
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> Acct-Delay-Time = 0
> Acct-Session-Time = 1000
> Acct-Input-Octets = 20000
> Acct-Output-Octets = 30000
>
> Fri Feb 10 07:46:22 2006: DEBUG: Handling request with Handler
> 'Realm=ldap.realm'
> Fri Feb 10 07:46:22 2006: DEBUG: Deleting session for driosr,
> 203.63.154.1, 1234
> Fri Feb 10 07:46:22 2006: DEBUG: Handling with Radius::AuthLDAP2:
> Fri Feb 10 07:46:22 2006: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Fri Feb 10 07:46:22 2006: DEBUG: Accounting accepted
> Fri Feb 10 07:46:22 2006: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 33466 ....
> Code: Accounting-Response
> Identifier: 213
> Authentic: 4f<127><151><175><206><15><9>uq<149><22>&_<238>M
> Attributes:
> ##################################################################
>
>
> And this is the output to "perl radpwtst -user driosr -password
> pass" command:
>
> ##################################################################
> sending Access-Request...
> No reply
> sending Accounting-Request Start...
> OK
> sending Accounting-Request Stop...
> OK
> ##################################################################
>
>
> Could you help me?
>
> Thanks in advance.
>
> --
> David Rios R.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list