(RADIATOR) Radiator doesn't bind to LDAP

Hugh Irvine hugh at open.com.au
Fri Feb 17 16:38:04 CST 2006


Hello David -

You will need to use two AuthBy LDAP clauses - the first to  
authenticate the user and get the GroupId, and the second to get the  
GroupAttributes for the GroupId.

Something like this:


<Realm ....>

	AuthByPolicy ContinueWhileAccept

	<AuthBy LDAP2>
		# authenticate the user and return the GroupId in the request
		.......
		AuthAttrDef GroupId, GroupId, request
	</AuthBy>

	<AuthBy LDAP>
		# get the GroupAttributes for this GroupId
		......
		SearchFilter .....GroupId....
		AuthAttrDef GroupAttributes, GENERIC, reply
	</AuthBy>

</Realm>


The GroupAttributes field will contain the list of attribute=value  
pairs sepatated by commas:

	..... = ....... , ........ = ........ , ........ = ..........


Hope that helps.

regards

Hugh


On 18 Feb 2006, at 01:24, David Felipe Rios Rojas wrote:

>
>> -----Mensaje original-----
>> De: Hugh Irvine [mailto:hugh at open.com.au]
>> Enviado el: Jueves, 16 de Febrero de 2006 05:15 p.m.
>> Para: David Felipe Rios Rojas
>> CC: Radiator-List list
>> Asunto: Re: (RADIATOR) Radiator doesn't bind to LDAP
>>
>>
>> Hello David -
>>
>> Thanks for letting me know that you have the LDAP working.
>>
>> In answer to your question, yes you can use Radiator to return any
>> attributes needed by the NAS.
>>
>> You would use the AuthAttrDef construct in your AuthBy LDAP2 clause.
>>
>> You can also use the AddToReply construct to return the common reply
>> attributes.
>>
>> See section 5.36.16 in the Radiator 3.14 reference manual.
>>
>> regards
>>
>> Hugh
>>
>
> I think "AuthAttrDef" won't work for me (I'm a little confused);
> I'll explain to you more clear:
>
> Our users are grouped according to connectivity plan they have bought;
> so each user has a number attribute in LDAP to know his/her group;
> Radiator must not replay group number to RAS; _it should replay group
> attributes_ according to group for every authenticated user; those  
> attributes
> could be stored in LDAP server, Radiator config file... it doesn't  
> matter.
>
> Do you understand me?
>
>
>>
>> On 17 Feb 2006, at 07:48, David Felipe Rios Rojas wrote:
>>
>>>
>>>> -----Mensaje original-----
>>>> De: Hugh Irvine [mailto:hugh at open.com.au]
>>>> Enviado el: Miércoles, 15 de Febrero de 2006 05:49 p.m.
>>>> Para: David Felipe Rios Rojas
>>>> CC: Radiator-List list
>>>> Asunto: Re: (RADIATOR) Radiator doesn't bind to LDAP
>>>>
>>>>
>>>> Hello David -
>>>>
>>>> Further to this you can add "Debug 255" to your AuthBy LDAP2 clause
>>>> to get additional LDAP debugging.
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>
>>> Thank Hugh, "Debug" parameter was too useful; Radiator didn't send
>>> anything to LDAP server because "Convert-ASN1" module was not
>>> installed. Now it is authenticating!! Thanks a lot again.
>>>
>>> I have another problem: each LDAP user has an attribute to know what
>>> kind of service has bought; we are working with Cisco CAR and it
>>> returns
>>> to RAS a lot of parameters according to that LDAP attribute; could I
>>> do same task with Radiator?
>>>
>>>>
>>>> On 16 Feb 2006, at 09:42, Hugh Irvine wrote:
>>>>
>>>>>
>>>>> Hello David -
>>>>>
>>>>> I will need to see the complete configuration file and a trace 4
>>>>> debug from startup showing what is happening.
>>>>>
>>>>> regards
>>>>>
>>>>> Hugh
>>>>>
>>>>>
>>>>> On 16 Feb 2006, at 09:17, David Felipe Rios Rojas wrote:
>>>>>
>>>>>>
>>>>>>> -----Mensaje original-----
>>>>>>> De: Hugh Irvine [mailto:hugh at open.com.au]
>>>>>>> Enviado el: Martes, 14 de Febrero de 2006 11:37 p.m.
>>>>>>> Para: David Felipe Rios Rojas
>>>>>>> CC: radiator at open.com.au
>>>>>>> Asunto: Re: (RADIATOR) Radiator doesn't bind to LDAP
>>>>>>>
>>>>>>>
>>>>>>> Hello David -
>>>>>>>
>>>>>>> I think the AuthBy LDAP 2 configuration is incorrect.
>>>>>>>
>>>>>>> Try this instead:
>>>>>>>
>>>>>>>
>>>>>>> <Realm ldap.realm>
>>>>>>> 	<AuthBy LDAP2>
>>>>>>> 		Host		xxxxxx
>>>>>>> 		Port		389
>>>>>>> 		AuthDN		root
>>>>>>> 		AuthPassword	xxxxxx
>>>>>>> 		BaseDN		ou=xxxxx,o=xxxxx
>>>>>>> 		SearchFilter (&(%0=%1)(radiusloginservice=E))
>>>>>>> 		UsernameAttr	uid
>>>>>>> 		PasswordAttr    userPassword
>>>>>>> 	</AuthBy>
>>>>>>> </Realm>
>>>>>>>
>>>>>>>
>>>>>>> hope that helps
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Hugh
>>>>>>>
>>>>>>
>>>>>> Hi Hugh.
>>>>>>
>>>>>> I changed config file as you wrote but it didn't work :(
>>>>>>
>>>>>> I used "snoop" to see what it was sending to LDAP server and
>>>>>> guess what! it doesn't send anything!; this is information
>>>>>> showed by snoop:
>>>>>>
>>>>>> #############################################
>>>>>> ETHER:  ----- Ether Header -----
>>>>>> ETHER:
>>>>>> ETHER:  Packet 1 arrived at 14:56:10.23
>>>>>> ETHER:  Packet size = 62 bytes
>>>>>> ETHER:  Destination = 0:e0:b6:4:d9:62,
>>>>>> ETHER:  Source      = 8:0:20:c7:98:4c, Sun
>>>>>> ETHER:  Ethertype = 0800 (IP)
>>>>>> ETHER:
>>>>>> IP:   ----- IP Header -----
>>>>>> IP:
>>>>>> IP:   Version = 4
>>>>>> IP:   Header length = 20 bytes
>>>>>> IP:   Type of service = 0x00
>>>>>> IP:         xxx. .... = 0 (precedence)
>>>>>> IP:         ...0 .... = normal delay
>>>>>> IP:         .... 0... = normal throughput
>>>>>> IP:         .... .0.. = normal reliability
>>>>>> IP:   Total length = 48 bytes
>>>>>> IP:   Identification = 34837
>>>>>> IP:   Flags = 0x4
>>>>>> IP:         .1.. .... = do not fragment
>>>>>> IP:         ..0. .... = last fragment
>>>>>> IP:   Fragment offset = 0 bytes
>>>>>> IP:   Time to live = 64 seconds/hops
>>>>>> IP:   Protocol = 6 (TCP)
>>>>>> IP:   Header checksum = 479f
>>>>>> IP:   Source address = ***.***.***.***, ********
>>>>>> IP:   Destination address = ***.***.***.***, ********
>>>>>> IP:   No options
>>>>>> IP:
>>>>>> TCP:  ----- TCP Header -----
>>>>>> TCP:
>>>>>> TCP:  Source port = 46731
>>>>>> TCP:  Destination port = 389 (LDAP)
>>>>>> TCP:  Sequence number = 3244986615
>>>>>> TCP:  Acknowledgement number = 0
>>>>>> TCP:  Data offset = 28 bytes
>>>>>> TCP:  Flags = 0x02
>>>>>> TCP:        ..0. .... = No urgent pointer
>>>>>> TCP:        ...0 .... = No acknowledgement
>>>>>> TCP:        .... 0... = No push
>>>>>> TCP:        .... .0.. = No reset
>>>>>> TCP:        .... ..1. = Syn
>>>>>> TCP:        .... ...0 = No Fin
>>>>>> TCP:  Window = 24820
>>>>>> TCP:  Checksum = 0xaca4
>>>>>> TCP:  Urgent pointer = 0
>>>>>> TCP:  Options: (8 bytes)
>>>>>> TCP:    - No operation
>>>>>> TCP:    - No operation
>>>>>> TCP:    - SACK permitted option
>>>>>> TCP:    - Maximum segment size = 1460 bytes
>>>>>> TCP:
>>>>>> LDAP:  ----- LDAP:   -----
>>>>>> LDAP:
>>>>>> LDAP:  ""
>>>>>> LDAP:
>>>>>>
>>>>>> ETHER:  ----- Ether Header -----
>>>>>> ETHER:
>>>>>> ETHER:  Packet 2 arrived at 14:56:10.23
>>>>>> ETHER:  Packet size = 62 bytes
>>>>>> ETHER:  Destination = 8:0:20:c7:98:4c, Sun
>>>>>> ETHER:  Source      = 0:e0:b6:4:d9:62,
>>>>>> ETHER:  Ethertype = 0800 (IP)
>>>>>> ETHER:
>>>>>> IP:   ----- IP Header -----
>>>>>> IP:
>>>>>> IP:   Version = 4
>>>>>> IP:   Header length = 20 bytes
>>>>>> IP:   Type of service = 0x00
>>>>>> IP:         xxx. .... = 0 (precedence)
>>>>>> IP:         ...0 .... = normal delay
>>>>>> IP:         .... 0... = normal throughput
>>>>>> IP:         .... .0.. = normal reliability
>>>>>> IP:   Total length = 48 bytes
>>>>>> IP:   Identification = 16165
>>>>>> IP:   Flags = 0x4
>>>>>> IP:         .1.. .... = do not fragment
>>>>>> IP:         ..0. .... = last fragment
>>>>>> IP:   Fragment offset = 0 bytes
>>>>>> IP:   Time to live = 60 seconds/hops
>>>>>> IP:   Protocol = 6 (TCP)
>>>>>> IP:   Header checksum = 948f
>>>>>> IP:   Source address = ***.***.***.***, **********
>>>>>> IP:   Destination address = ***.***.***.***, ********
>>>>>> IP:   No options
>>>>>> IP:
>>>>>> TCP:  ----- TCP Header -----
>>>>>> TCP:
>>>>>> TCP:  Source port = 389
>>>>>> TCP:  Destination port = 46731
>>>>>> TCP:  Sequence number = 1601298321
>>>>>> TCP:  Acknowledgement number = 3244986616
>>>>>> TCP:  Data offset = 28 bytes
>>>>>> TCP:  Flags = 0x12
>>>>>> TCP:        ..0. .... = No urgent pointer
>>>>>> TCP:        ...1 .... = Acknowledgement
>>>>>> TCP:        .... 0... = No push
>>>>>> TCP:        .... .0.. = No reset
>>>>>> TCP:        .... ..1. = Syn
>>>>>> TCP:        .... ...0 = No Fin
>>>>>> TCP:  Window = 64860
>>>>>> TCP:  Checksum = 0xd177
>>>>>> TCP:  Urgent pointer = 0
>>>>>> TCP:  Options: (8 bytes)
>>>>>> TCP:    - Maximum segment size = 1380 bytes
>>>>>> TCP:    - No operation
>>>>>> TCP:    - No operation
>>>>>> TCP:    - SACK permitted option
>>>>>> TCP:
>>>>>> LDAP:  ----- LDAP:   -----
>>>>>> LDAP:
>>>>>> LDAP:  ""
>>>>>> LDAP:
>>>>>>
>>>>>> ETHER:  ----- Ether Header -----
>>>>>> ETHER:
>>>>>> ETHER:  Packet 3 arrived at 14:56:10.23
>>>>>> ETHER:  Packet size = 54 bytes
>>>>>> ETHER:  Destination = 0:e0:b6:4:d9:62,
>>>>>> ETHER:  Source      = 8:0:20:c7:98:4c, Sun
>>>>>> ETHER:  Ethertype = 0800 (IP)
>>>>>> ETHER:
>>>>>> IP:   ----- IP Header -----
>>>>>> IP:
>>>>>> IP:   Version = 4
>>>>>> IP:   Header length = 20 bytes
>>>>>> IP:   Type of service = 0x00
>>>>>> IP:         xxx. .... = 0 (precedence)
>>>>>> IP:         ...0 .... = normal delay
>>>>>> IP:         .... 0... = normal throughput
>>>>>> IP:         .... .0.. = normal reliability
>>>>>> IP:   Total length = 40 bytes
>>>>>> IP:   Identification = 34838
>>>>>> IP:   Flags = 0x4
>>>>>> IP:         .1.. .... = do not fragment
>>>>>> IP:         ..0. .... = last fragment
>>>>>> IP:   Fragment offset = 0 bytes
>>>>>> IP:   Time to live = 64 seconds/hops
>>>>>> IP:   Protocol = 6 (TCP)
>>>>>> IP:   Header checksum = 47a6
>>>>>> IP:   Source address = ***.***.***.***, ********
>>>>>> IP:   Destination address = ***.***.***.***, **********
>>>>>> IP:   No options
>>>>>> IP:
>>>>>> TCP:  ----- TCP Header -----
>>>>>> TCP:
>>>>>> TCP:  Source port = 46731
>>>>>> TCP:  Destination port = 389 (LDAP)
>>>>>> TCP:  Sequence number = 3244986616
>>>>>> TCP:  Acknowledgement number = 1601298322
>>>>>> TCP:  Data offset = 20 bytes
>>>>>> TCP:  Flags = 0x10
>>>>>> TCP:        ..0. .... = No urgent pointer
>>>>>> TCP:        ...1 .... = Acknowledgement
>>>>>> TCP:        .... 0... = No push
>>>>>> TCP:        .... .0.. = No reset
>>>>>> TCP:        .... ..0. = No Syn
>>>>>> TCP:        .... ...0 = No Fin
>>>>>> TCP:  Window = 24840
>>>>>> TCP:  Checksum = 0x9a40
>>>>>> TCP:  Urgent pointer = 0
>>>>>> TCP:  No options
>>>>>> TCP:
>>>>>> LDAP:  ----- LDAP:   -----
>>>>>> LDAP:
>>>>>> LDAP:  ""
>>>>>> LDAP:
>>>>>>
>>>>>> ETHER:  ----- Ether Header -----
>>>>>> ETHER:
>>>>>> ETHER:  Packet 4 arrived at 14:56:10.23
>>>>>> ETHER:  Packet size = 54 bytes
>>>>>> ETHER:  Destination = 0:e0:b6:4:d9:62,
>>>>>> ETHER:  Source      = 8:0:20:c7:98:4c, Sun
>>>>>> ETHER:  Ethertype = 0800 (IP)
>>>>>> ETHER:
>>>>>> IP:   ----- IP Header -----
>>>>>> IP:
>>>>>> IP:   Version = 4
>>>>>> IP:   Header length = 20 bytes
>>>>>> IP:   Type of service = 0x00
>>>>>> IP:         xxx. .... = 0 (precedence)
>>>>>> IP:         ...0 .... = normal delay
>>>>>> IP:         .... 0... = normal throughput
>>>>>> IP:         .... .0.. = normal reliability
>>>>>> IP:   Total length = 40 bytes
>>>>>> IP:   Identification = 34839
>>>>>> IP:   Flags = 0x4
>>>>>> IP:         .1.. .... = do not fragment
>>>>>> IP:         ..0. .... = last fragment
>>>>>> IP:   Fragment offset = 0 bytes
>>>>>> IP:   Time to live = 64 seconds/hops
>>>>>> IP:   Protocol = 6 (TCP)
>>>>>> IP:   Header checksum = 47a5
>>>>>> IP:   Source address = ***.***.***.***, ********
>>>>>> IP:   Destination address = ***.***.***.***, ********
>>>>>> IP:   No options
>>>>>> IP:
>>>>>> TCP:  ----- TCP Header -----
>>>>>> TCP:
>>>>>> TCP:  Source port = 46731
>>>>>> TCP:  Destination port = 389 (LDAP)
>>>>>> TCP:  Sequence number = 3244986616
>>>>>> TCP:  Acknowledgement number = 1601298322
>>>>>> TCP:  Data offset = 20 bytes
>>>>>> TCP:  Flags = 0x11
>>>>>> TCP:        ..0. .... = No urgent pointer
>>>>>> TCP:        ...1 .... = Acknowledgement
>>>>>> TCP:        .... 0... = No push
>>>>>> TCP:        .... .0.. = No reset
>>>>>> TCP:        .... ..0. = No Syn
>>>>>> TCP:        .... ...1 = Fin
>>>>>> TCP:  Window = 24840
>>>>>> TCP:  Checksum = 0x9a3f
>>>>>> TCP:  Urgent pointer = 0
>>>>>> TCP:  No options
>>>>>> TCP:
>>>>>> LDAP:  ----- LDAP:   -----
>>>>>> LDAP:
>>>>>> LDAP:  ""
>>>>>> LDAP:
>>>>>>
>>>>>> ETHER:  ----- Ether Header -----
>>>>>> ETHER:
>>>>>> ETHER:  Packet 5 arrived at 14:56:10.24
>>>>>> ETHER:  Packet size = 60 bytes
>>>>>> ETHER:  Destination = 8:0:20:c7:98:4c, Sun
>>>>>> ETHER:  Source      = 0:e0:b6:4:d9:62,
>>>>>> ETHER:  Ethertype = 0800 (IP)
>>>>>> ETHER:
>>>>>> IP:   ----- IP Header -----
>>>>>> IP:
>>>>>> IP:   Version = 4
>>>>>> IP:   Header length = 20 bytes
>>>>>> IP:   Type of service = 0x00
>>>>>> IP:         xxx. .... = 0 (precedence)
>>>>>> IP:         ...0 .... = normal delay
>>>>>> IP:         .... 0... = normal throughput
>>>>>> IP:         .... .0.. = normal reliability
>>>>>> IP:   Total length = 40 bytes
>>>>>> IP:   Identification = 16166
>>>>>> IP:   Flags = 0x4
>>>>>> IP:         .1.. .... = do not fragment
>>>>>> IP:         ..0. .... = last fragment
>>>>>> IP:   Fragment offset = 0 bytes
>>>>>> IP:   Time to live = 60 seconds/hops
>>>>>> IP:   Protocol = 6 (TCP)
>>>>>> IP:   Header checksum = 9496
>>>>>> IP:   Source address = ***.***.***.***, ********
>>>>>> IP:   Destination address = ***.***.***.***, ********
>>>>>> IP:   No options
>>>>>> IP:
>>>>>> TCP:  ----- TCP Header -----
>>>>>> TCP:
>>>>>> TCP:  Source port = 389
>>>>>> TCP:  Destination port = 46731
>>>>>> TCP:  Sequence number = 1601298322
>>>>>> TCP:  Acknowledgement number = 3244986617
>>>>>> TCP:  Data offset = 20 bytes
>>>>>> TCP:  Flags = 0x10
>>>>>> TCP:        ..0. .... = No urgent pointer
>>>>>> TCP:        ...1 .... = Acknowledgement
>>>>>> TCP:        .... 0... = No push
>>>>>> TCP:        .... .0.. = No reset
>>>>>> TCP:        .... ..0. = No Syn
>>>>>> TCP:        .... ...0 = No Fin
>>>>>> TCP:  Window = 64860
>>>>>> TCP:  Checksum = 0xfdea
>>>>>> TCP:  Urgent pointer = 0
>>>>>> TCP:  No options
>>>>>> TCP:
>>>>>> LDAP:  ----- LDAP:   -----
>>>>>> LDAP:
>>>>>> LDAP:  ""
>>>>>> LDAP:
>>>>>>
>>>>>> ETHER:  ----- Ether Header -----
>>>>>> ETHER:
>>>>>> ETHER:  Packet 6 arrived at 14:56:11.67
>>>>>> ETHER:  Packet size = 60 bytes
>>>>>> ETHER:  Destination = 8:0:20:c7:98:4c, Sun
>>>>>> ETHER:  Source      = 0:e0:b6:4:d9:62,
>>>>>> ETHER:  Ethertype = 0800 (IP)
>>>>>> ETHER:
>>>>>> IP:   ----- IP Header -----
>>>>>> IP:
>>>>>> IP:   Version = 4
>>>>>> IP:   Header length = 20 bytes
>>>>>> IP:   Type of service = 0x00
>>>>>> IP:         xxx. .... = 0 (precedence)
>>>>>> IP:         ...0 .... = normal delay
>>>>>> IP:         .... 0... = normal throughput
>>>>>> IP:         .... .0.. = normal reliability
>>>>>> IP:   Total length = 40 bytes
>>>>>> IP:   Identification = 16167
>>>>>> IP:   Flags = 0x4
>>>>>> IP:         .1.. .... = do not fragment
>>>>>> IP:         ..0. .... = last fragment
>>>>>> IP:   Fragment offset = 0 bytes
>>>>>> IP:   Time to live = 60 seconds/hops
>>>>>> IP:   Protocol = 6 (TCP)
>>>>>> IP:   Header checksum = 9495
>>>>>> IP:   Source address = ***.***.***.***, ********
>>>>>> IP:   Destination address = ***.***.***.***, ********
>>>>>> IP:   No options
>>>>>> IP:
>>>>>> TCP:  ----- TCP Header -----
>>>>>> TCP:
>>>>>> TCP:  Source port = 389
>>>>>> TCP:  Destination port = 46731
>>>>>> TCP:  Sequence number = 1601298322
>>>>>> TCP:  Acknowledgement number = 3244986617
>>>>>> TCP:  Data offset = 20 bytes
>>>>>> TCP:  Flags = 0x11
>>>>>> TCP:        ..0. .... = No urgent pointer
>>>>>> TCP:        ...1 .... = Acknowledgement
>>>>>> TCP:        .... 0... = No push
>>>>>> TCP:        .... .0.. = No reset
>>>>>> TCP:        .... ..0. = No Syn
>>>>>> TCP:        .... ...1 = Fin
>>>>>> TCP:  Window = 64860
>>>>>> TCP:  Checksum = 0xfde9
>>>>>> TCP:  Urgent pointer = 0
>>>>>> TCP:  No options
>>>>>> TCP:
>>>>>> LDAP:  ----- LDAP:   -----
>>>>>> LDAP:
>>>>>> LDAP:  ""
>>>>>> LDAP:
>>>>>>
>>>>>> ETHER:  ----- Ether Header -----
>>>>>> ETHER:
>>>>>> ETHER:  Packet 7 arrived at 14:56:11.67
>>>>>> ETHER:  Packet size = 54 bytes
>>>>>> ETHER:  Destination = 0:e0:b6:4:d9:62,
>>>>>> ETHER:  Source      = 8:0:20:c7:98:4c, Sun
>>>>>> ETHER:  Ethertype = 0800 (IP)
>>>>>> ETHER:
>>>>>> IP:   ----- IP Header -----
>>>>>> IP:
>>>>>> IP:   Version = 4
>>>>>> IP:   Header length = 20 bytes
>>>>>> IP:   Type of service = 0x00
>>>>>> IP:         xxx. .... = 0 (precedence)
>>>>>> IP:         ...0 .... = normal delay
>>>>>> IP:         .... 0... = normal throughput
>>>>>> IP:         .... .0.. = normal reliability
>>>>>> IP:   Total length = 40 bytes
>>>>>> IP:   Identification = 34840
>>>>>> IP:   Flags = 0x4
>>>>>> IP:         .1.. .... = do not fragment
>>>>>> IP:         ..0. .... = last fragment
>>>>>> IP:   Fragment offset = 0 bytes
>>>>>> IP:   Time to live = 64 seconds/hops
>>>>>> IP:   Protocol = 6 (TCP)
>>>>>> IP:   Header checksum = 47a4
>>>>>> IP:   Source address = ***.***.***.***, ********
>>>>>> IP:   Destination address = ***.***.***.***, ********
>>>>>> IP:   No options
>>>>>> IP:
>>>>>> TCP:  ----- TCP Header -----
>>>>>> TCP:
>>>>>> TCP:  Source port = 46731
>>>>>> TCP:  Destination port = 389 (LDAP)
>>>>>> TCP:  Sequence number = 3244986617
>>>>>> TCP:  Acknowledgement number = 1601298323
>>>>>> TCP:  Data offset = 20 bytes
>>>>>> TCP:  Flags = 0x10
>>>>>> TCP:        ..0. .... = No urgent pointer
>>>>>> TCP:        ...1 .... = Acknowledgement
>>>>>> TCP:        .... 0... = No push
>>>>>> TCP:        .... .0.. = No reset
>>>>>> TCP:        .... ..0. = No Syn
>>>>>> TCP:        .... ...0 = No Fin
>>>>>> TCP:  Window = 24840
>>>>>> TCP:  Checksum = 0x9a3e
>>>>>> TCP:  Urgent pointer = 0
>>>>>> TCP:  No options
>>>>>> TCP:
>>>>>> LDAP:  ----- LDAP:   -----
>>>>>> LDAP:
>>>>>> LDAP:  ""
>>>>>> LDAP:
>>>>>> #############################################
>>>>>>
>>>>>> If you use grep to filter it, you could see that lines with
>>>>>> "LDAP:" don't have any important information.
>>>>>>
>>>>>> PD. Sensible information was replace with "*"
>>>>>>
>>>>>>>
>>>>>>> On 14 Feb 2006, at 08:45, David Felipe Rios Rojas wrote:
>>>>>>>
>>>>>>>> I'm testing Radiator for first time, but I'm a little
>>>>>>> confused because
>>>>>>>> an error message when it try binding to LDAP server; I use LDAP
>>>>>>>> superuser account just to try it.
>>>>>>>>
>>>>>>>> Next is my config file; it was made based on sample
>>>>>>> configuration file
>>>>>>>> provided and several items are not configured yet
>> because I just
>>>>>>>> want to
>>>>>>>> test LDAP binding first.
>>>>>>>>
>>>>>>>> Here we go:
>>>>>>>>
>>>>>>>>
>>>> ##################################################################
>>>>>>>> Foreground
>>>>>>>>
>>>>>>>> LogStdout
>>>>>>>>
>>>>>>>> Trace		4
>>>>>>>>
>>>>>>>> PidFile		/tmp/radiusd.pid
>>>>>>>>
>>>>>>>> AuthPort	1645
>>>>>>>>
>>>>>>>> AcctPort	1646
>>>>>>>>
>>>>>>>> LogFile		%L/%Y-%m-%d_logfile
>>>>>>>> LogDir		/var/log/radius
>>>>>>>>
>>>>>>>> DbDir		.
>>>>>>>>
>>>>>>>> DictionaryFile /etc/radiator/dictionary,/etc/radiator/
>>>>>>>> dictionary.ascend
>>>>>>>>
>>>>>>>> User radius
>>>>>>>> Group radius
>>>>>>>>
>>>>>>>> <Client DEFAULT>
>>>>>>>> 	Secret	mysecret
>>>>>>>> 	DupInterval 0
>>>>>>>> 	DefaultRealm ldap.realm
>>>>>>>> 	StatusServerShowClientDetails
>>>>>>>> </Client>
>>>>>>>>
>>>>>>>>
>>>>>>>> <Realm DEFAULT>
>>>>>>>> 	RewriteUsername	s/^([^@]+).*/$1/
>>>>>>>> 	MaxSessions	2
>>>>>>>> 	AcctLogFileName	%L/detail
>>>>>>>> 	WtmpFileName %L/wtmp
>>>>>>>> 	PasswordLogFileName %L/password.log
>>>>>>>> 	RejectHasReason
>>>>>>>>
>>>>>>>> 	<AuthBy FILE>
>>>>>>>> 		Filename	/etc/radiator/users
>>>>>>>> 		DynamicReply USR-IP-Input-Filter
>>>>>>>> 		DynamicCheck Group
>>>>>>>> 		UseAddressHint
>>>>>>>> 		AddToReply Reply-Message=hello
>>>>>>>> 		AddToReplyIfNotExist Ascend-Data-Filter="ip in
>>>>>>> forward tcp est"
>>>>>>>> 		DefaultReply
>>>>>>> Service-Type=Framed-User,Framed-Protocol=PPP
>>>>>>>> 		RejectEmptyPassword
>>>>>>>> 		AutoMPPEKeys
>>>>>>>> 		EAPType MD5-Challenge
>>>>>>>> 	</AuthBy>
>>>>>>>>
>>>>>>>> 	<AuthBy GROUP>
>>>>>>>> 		AuthByPolicy ContinueUntilAccept
>>>>>>>> 		AddToReply Reply-Message=xxxx
>>>>>>>> 		<AuthBy FILE>
>>>>>>>> 			Filename users
>>>>>>>> 		</AuthBy>
>>>>>>>> 		<AuthBy FILE>
>>>>>>>> 			Filename users
>>>>>>>> 		</AuthBy>
>>>>>>>> 	</AuthBy>
>>>>>>>>
>>>>>>>> </Realm>
>>>>>>>>
>>>>>>>> <Realm unix.realm>
>>>>>>>> 	RewriteUsername	s/^([^@]+).*/$1/
>>>>>>>>
>>>>>>>> 	<AuthBy UNIX>
>>>>>>>> 		Identifier System
>>>>>>>> 		DefaultReply
>>>>>>> Service-Type=Framed-User,Framed-Protocol=PPP
>>>>>>>> 	</AuthBy>
>>>>>>>> </Realm>
>>>>>>>>
>>>>>>>>
>>>>>>>> <Realm system.realm>
>>>>>>>> 	RewriteUsername	s/^([^@]+).*/$1/
>>>>>>>> </Realm>
>>>>>>>>
>>>>>>>>
>>>>>>>> <Realm ldap.realm>
>>>>>>>> 	<AuthBy LDAP2>
>>>>>>>> 		Host		xxxxxx
>>>>>>>> 		Port		389
>>>>>>>> 		AuthDN		cn=root
>>>>>>>> 		AuthPassword	xxxxxx
>>>>>>>> 		BaseDN		
>>>>>>> (&(%0=%1,ou=xxxxx,o=xxxxx)(radiusloginservice=E))
>>>>>>>> 		UsernameAttr	uid
>>>>>>>> 		PasswordAttr    userPassword
>>>>>>>> 	</AuthBy>
>>>>>>>> </Realm>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> <Realm external.realm>
>>>>>>>> 	RewriteUsername	s/^([^@]+).*/$1/
>>>>>>>> 	<AuthBy EXTERNAL>
>>>>>>>> 		Command perl ./goodies/testcommand.pl
>>>>>>>> 		DecryptPassword
>>>>>>>> 	</AuthBy>
>>>>>>>> </Realm>
>>>>>>>>
>>>>>>>> <Realm internal.realm>
>>>>>>>> 	<AuthBy INTERNAL>
>>>>>>>> 		DefaultResult	accept
>>>>>>>> 	</AuthBy>
>>>>>>>> </Realm>
>>>>>>>>
>>>>>>>>
>>>>>>>> <Realm mobileip.realm>
>>>>>>>> 	RewriteUsername	s/^([^@]+).*/$1/
>>>>>>>> 	<AuthBy FILE>
>>>>>>>> 		Filename	./users
>>>>>>>> 	</AuthBy>
>>>>>>>> 	<AuthBy MOBILEIP>
>>>>>>>> 		DefaultHAAddress 192.10.10.2
>>>>>>>> 	</AuthBy>
>>>>>>>> </Realm>
>>>>>>>>
>>>>>>>>
>>>>>>>> <AuthBy FILE>
>>>>>>>> 	Identifier identifier1
>>>>>>>> </AuthBy>
>>>>>>>>
>>>>>>>>
>>>>>>>> <Realm xyz>
>>>>>>>> 	AuthBy identifier1
>>>>>>>> </Realm>
>>>>>>>>
>>>> ##################################################################
>>>>>>>>
>>>>>>>>
>>>>>>>> And this is output debug after "perl radpwtst -user driosr -
>>>>>>>> password pass" is execute:
>>>>>>>>
>>>>>>>>
>>>> ##################################################################
>>>>>>>> Fri Feb 10 07:45:26 2006: DEBUG: Reading group file /etc/group
>>>>>>>> Fri Feb 10 07:45:27 2006: DEBUG: Finished reading configuration
>>>>>>>> file '/etc/radiator/radius.cfg'
>>>>>>>> This Radiator license will expire on 2006-07-01
>>>>>>>> This Radiator license will stop operating after 1000 requests
>>>>>>>> To purchase an unlimited full source version of Radiator, see
>>>>>>>> http://www.open.com.au/ordering.html
>>>>>>>> To extend your license period, contact admin at open.com.au
>>>>>>>>
>>>>>>>> Fri Feb 10 07:45:27 2006: DEBUG: Reading dictionary file '/etc/
>>>>>>>> radiator/dictionary'
>>>>>>>> Fri Feb 10 07:45:28 2006: DEBUG: Reading dictionary file '/etc/
>>>>>>>> radiator/dictionary.ascend'
>>>>>>>> Fri Feb 10 07:45:28 2006: DEBUG: Creating authentication port
>>>>>>>> 0.0.0.0:1645
>>>>>>>> Fri Feb 10 07:45:28 2006: DEBUG: Creating accounting port
>>>>>>> 0.0.0.0:1646
>>>>>>>> Fri Feb 10 07:45:28 2006: NOTICE: Server started:
>>>> Radiator 3.14 on
>>>>>>>> XXXX(LOCKED)
>>>>>>>> Fri Feb 10 07:46:16 2006: DEBUG: Packet dump:
>>>>>>>> *** Received from 127.0.0.1 port 33466 ....
>>>>>>>> Code:       Access-Request
>>>>>>>> Identifier: 211
>>>>>>>> Authentic:  1234567890123456
>>>>>>>> Attributes:
>>>>>>>>         User-Name = "driosr"
>>>>>>>>         Service-Type = Framed-User
>>>>>>>>         NAS-IP-Address = 203.63.154.1
>>>>>>>>         NAS-Identifier = "203.63.154.1"
>>>>>>>>         NAS-Port = 1234
>>>>>>>>         Called-Station-Id = "123456789"
>>>>>>>>         Calling-Station-Id = "987654321"
>>>>>>>>         NAS-Port-Type = Async
>>>>>>>>         User-Password = <137><234>,<222><175>
>>>>>>>> \<4><246><188>8<9><160><216>}x<153>
>>>>>>>>
>>>>>>>> Fri Feb 10 07:46:17 2006: DEBUG: Handling request with Handler
>>>>>>>> 'Realm=ldap.realm'
>>>>>>>> Fri Feb 10 07:46:17 2006: DEBUG:  Deleting session for driosr,
>>>>>>>> 203.63.154.1, 1234
>>>>>>>> Fri Feb 10 07:46:17 2006: DEBUG: Handling with
>> Radius::AuthLDAP2:
>>>>>>>> Fri Feb 10 07:46:17 2006: INFO: Connecting to XXXX:389
>>>>>>>> Fri Feb 10 07:46:17 2006: INFO: Attempting to bind to
>> LDAP server
>>>>>>>> XXXX:389
>>>>>>>> Fri Feb 10 07:46:17 2006: ERR: Could not bind connection with
>>>>>>>> cn=root, xxxx, error: LDAP error code -1(0xFFFFFFFF)
>>>> (server XXXX:
>>>>>>>> 389).
>>>>>>>> Fri Feb 10 07:46:17 2006: ERR: Backing off from
>> XXXX:389 for 600
>>>>>>>> seconds.
>>>>>>>> Fri Feb 10 07:46:17 2006: DEBUG: AuthBy LDAP2 result:
>>>> IGNORE, User
>>>>>>>> database access error
>>>>>>>> Fri Feb 10 07:46:22 2006: DEBUG: Packet dump:
>>>>>>>> *** Received from 127.0.0.1 port 33466 ....
>>>>>>>> Code:       Accounting-Request
>>>>>>>> Identifier: 212
>>>>>>>> Authentic:
>>>> .<16>t<179>;<188><213>L<151><182><131>L<144>p<159><245>
>>>>>>>> Attributes:
>>>>>>>>         User-Name = "driosr"
>>>>>>>>         Service-Type = Framed-User
>>>>>>>>         NAS-IP-Address = 203.63.154.1
>>>>>>>>         NAS-Identifier = "203.63.154.1"
>>>>>>>>         NAS-Port = 1234
>>>>>>>>         NAS-Port-Type = Async
>>>>>>>>         Acct-Session-Id = "00001234"
>>>>>>>>         Acct-Status-Type = Start
>>>>>>>>         Called-Station-Id = "123456789"
>>>>>>>>         Calling-Station-Id = "987654321"
>>>>>>>>         Acct-Delay-Time = 0
>>>>>>>>
>>>>>>>> Fri Feb 10 07:46:22 2006: DEBUG: Handling request with Handler
>>>>>>>> 'Realm=ldap.realm'
>>>>>>>> Fri Feb 10 07:46:22 2006: DEBUG:  Adding session for driosr,
>>>>>>>> 203.63.154.1, 1234
>>>>>>>> Fri Feb 10 07:46:22 2006: DEBUG: Handling with
>> Radius::AuthLDAP2:
>>>>>>>> Fri Feb 10 07:46:22 2006: DEBUG: AuthBy LDAP2 result: ACCEPT,
>>>>>>>> Fri Feb 10 07:46:22 2006: DEBUG: Accounting accepted
>>>>>>>> Fri Feb 10 07:46:22 2006: DEBUG: Packet dump:
>>>>>>>> *** Sending to 127.0.0.1 port 33466 ....
>>>>>>>> Code:       Accounting-Response
>>>>>>>> Identifier: 212
>>>>>>>> Authentic:
>>>> .<16>t<179>;<188><213>L<151><182><131>L<144>p<159><245>
>>>>>>>> Attributes:
>>>>>>>>
>>>>>>>> Fri Feb 10 07:46:22 2006: DEBUG: Packet dump:
>>>>>>>> *** Received from 127.0.0.1 port 33466 ....
>>>>>>>> Code:       Accounting-Request
>>>>>>>> Identifier: 213
>>>>>>>> Authentic:  4f<127><151><175><206><15><9>uq<149><22>&_<238>M
>>>>>>>> Attributes:
>>>>>>>>         User-Name = "driosr"
>>>>>>>>         Service-Type = Framed-User
>>>>>>>>         NAS-IP-Address = 203.63.154.1
>>>>>>>>         NAS-Identifier = "203.63.154.1"
>>>>>>>>         NAS-Port = 1234
>>>>>>>>         NAS-Port-Type = Async
>>>>>>>>         Acct-Session-Id = "00001234"
>>>>>>>>         Acct-Status-Type = Stop
>>>>>>>>         Called-Station-Id = "123456789"
>>>>>>>>         Calling-Station-Id = "987654321"
>>>>>>>>         Acct-Delay-Time = 0
>>>>>>>>         Acct-Session-Time = 1000
>>>>>>>>         Acct-Input-Octets = 20000
>>>>>>>>         Acct-Output-Octets = 30000
>>>>>>>>
>>>>>>>> Fri Feb 10 07:46:22 2006: DEBUG: Handling request with Handler
>>>>>>>> 'Realm=ldap.realm'
>>>>>>>> Fri Feb 10 07:46:22 2006: DEBUG:  Deleting session for driosr,
>>>>>>>> 203.63.154.1, 1234
>>>>>>>> Fri Feb 10 07:46:22 2006: DEBUG: Handling with
>> Radius::AuthLDAP2:
>>>>>>>> Fri Feb 10 07:46:22 2006: DEBUG: AuthBy LDAP2 result: ACCEPT,
>>>>>>>> Fri Feb 10 07:46:22 2006: DEBUG: Accounting accepted
>>>>>>>> Fri Feb 10 07:46:22 2006: DEBUG: Packet dump:
>>>>>>>> *** Sending to 127.0.0.1 port 33466 ....
>>>>>>>> Code:       Accounting-Response
>>>>>>>> Identifier: 213
>>>>>>>> Authentic:  4f<127><151><175><206><15><9>uq<149><22>&_<238>M
>>>>>>>> Attributes:
>>>>>>>>
>>>> ##################################################################
>>>>>>>>
>>>>>>>>
>>>>>>>> And this is the output to "perl radpwtst -user driosr -password
>>>>>>>> pass" command:
>>>>>>>>
>>>>>>>>
>>>> ##################################################################
>>>>>>>> sending Access-Request...
>>>>>>>> No reply
>>>>>>>> sending Accounting-Request Start...
>>>>>>>> OK
>>>>>>>> sending Accounting-Request Stop...
>>>>>>>> OK
>>>>>>>>
>>>> ##################################################################
>>>>>>>>
>>>>>>>>
>>>>>>>> Could you help me?
>>>>>>>>
>>>>>>>> Thanks in advance.
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> David Rios R.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>>
>>>>>>>
>>>>>>> NB:
>>>>>>>
>>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>>> Have you searched the mailing list archive (www.open.com.au/
>>>>>>> archives/
>>>>>>> radiator)?
>>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>>> Have you included a copy of your configuration file (no
>> secrets),
>>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>>
>>>>>>> -- 
>>>>>>> Radiator: the most portable, flexible and configurable
>>>> RADIUS server
>>>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>>>>> -
>>>>>>> Nets: internetwork inventory and management - graphical,
>>>> extensible,
>>>>>>> flexible with hardware, software, platform and database
>>>>>>> independence.
>>>>>>> -
>>>>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>>>>> systems.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> David Rios R.
>>>>>> Ingenieria de Desarrollo
>>>>>> Expansion Nuevos Servicios
>>>>>> Empresas Publicas de Medellin
>>>>>>
>>>>>
>>>>>
>>>>> NB:
>>>>>
>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>> Have you searched the mailing list archive (www.open.com.au/
>>>>> archives/radiator)?
>>>>> Have you had a quick look on Google (www.google.com)?
>>>>> Have you included a copy of your configuration file (no secrets),
>>>>> together with a trace 4 debug showing what is happening?
>>>>>
>>>>> -- 
>>>>> Radiator: the most portable, flexible and configurable
>> RADIUS server
>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>>> -
>>>>> Nets: internetwork inventory and management - graphical,
>> extensible,
>>>>> flexible with hardware, software, platform and database
>>>> independence.
>>>>> -
>>>>> CATool: Private Certificate Authority for Unix and
>>>> Unix-like systems.
>>>>>
>>>>>
>>>>> --
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive
>> (www.open.com.au/archives/
>>>> radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>> -- 
>>>> Radiator: the most portable, flexible and configurable
>> RADIUS server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> -
>>>> Nets: internetwork inventory and management - graphical,
>> extensible,
>>>> flexible with hardware, software, platform and database
>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and
>> Unix-like systems.
>>>>
>>>>
>>>>
>>>
>>> -- 
>>> David Rios R.
>>> Ingenieria de Desarrollo
>>> Expansion Nuevos Servicios
>>> Empresas Publicas de Medellin
>>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/
>> radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>
>
> -- 
> David Rios R.
> Ingenieria de Desarrollo
> Expansion Nuevos Servicios
> Empresas Publicas de Medellin
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list