(RADIATOR) LDAP2 and Bad Password message
Hugh Irvine
hugh at open.com.au
Sun Jul 23 19:53:47 CDT 2006
Hello Bryan -
It looks to me like the userPassword field contains a strange
password string:
> Sun Jul 23 10:14:46 2006: DEBUG: LDAP got userPassword:
> {crypt}$1$lS$X2L/zp7xWYq
> Ya44c35ErZ.
Normally the "{crypt}" prefix indicates UNIX crypt, while the "$!$"
prefix indicates Linux MD5.
As this password contains both prefixes, Radiator is getting confused.
You say that the userPassword field contains Linux MD5 passwords,
therefore you will need to remove the "{crypt}" prefixes.
See section 12.1.1 in the Radiator 3.15 reference manual ("doc/
ref.html").
BTW - for a new installation you might consider using ActivePerl 5.8
(latest is 5.8.8.817).
hope that helps
regards
Hugh
On 24 Jul 2006, at 03:30, Woods, Bryan wrote:
> Hello group,
>
> I'm having problems getting RADIATOR to authenticate (using AuthBy
> LDAP2)
> against my openLDAP server. The message that I'm getting is
> "AuthLDAP2
> REJECT: Bad Password". Here are some of the specifics unique to my
> installation:
>
> 1. LDAP allows anonymous (read only) binds.
> 2. The user accounts cannot bind to the server (only an admin
> account can
> do that).
> 3. Two hashes of the same password are stored for each user, a
> standard
> linux MD5 (stored in 'userPassword'), and an NT hash (copied from the
> 'smbpasswd' file and stored in 'ntPassword').
> 4. Eventually I'll want to use the ntPassword for authentication
> as I need
> to enable LEAP, but I've been unsuccessful in even getting simple
> authentication working.
> 5. RADIATOR 3.15 is running on a Windows 2K Server box under
> ActiveState
> Perl 5.6
> 6. In my example below, I've used a user account "sis_link" with a
> password
> of "sislink321".
>
> Here's what my config file looks like:
>
> ====
> ==== config file ===
>
> # ldap.cfg
> #
> Foreground
> LogStdout
> LogDir c:/Program Files/Radiator
> DbDir c:/Program Files/Radiator
> Trace 4
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> </Client>
>
> <Realm DEFAULT>
> <AuthBy LDAP2>
> Host 10.1.1.101
> AuthDN uid=gov,o=PUSD,c=US
> AuthPassword *****
> BaseDN o=PUSD,c=US
> UsernameAttr uid
> PasswordAttr userPassword
> AddToReply Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> Framed-Routing = None,\
> Framed-MTU = 1500,\
> Framed-Compression = Van-Jacobson-TCP-IP
> Version 3
> </AuthBy>
> </Realm>
>
> === debug output ===
> Sun Jul 23 10:14:46 2006: DEBUG: Packet dump:
> *** Received from 10.1.7.143 port 3948 ....
> Code: Access-Request
> Identifier: 0
> Authentic: 1153675030
> Attributes:
> User-Name = "sis_link"
> User-Password =
> 7<146>9<143><185><181><174><226><217>{<198>y<128><234><1
> 59><31>
>
> Sun Jul 23 10:14:46 2006: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Sun Jul 23 10:14:46 2006: DEBUG: Deleting session for sis_link,
> 10.1.7.143,
> Sun Jul 23 10:14:46 2006: DEBUG: Handling with Radius::AuthLDAP2:
> Sun Jul 23 10:14:46 2006: INFO: Connecting to 10.1.1.101:389
> Sun Jul 23 10:14:46 2006: INFO: Attempting to bind to LDAP server
> 10.1.1.101:389
>
> Sun Jul 23 10:14:46 2006: DEBUG: LDAP got result for
> uid=sis_link,ou=Information
> Technology Services,ou=Education Center,o=PUSD,c=US
> Sun Jul 23 10:14:46 2006: DEBUG: LDAP got userPassword:
> {crypt}$1$lS$X2L/zp7xWYq
> Ya44c35ErZ.
> Sun Jul 23 10:14:46 2006: DEBUG: Radius::AuthLDAP2 looks for match
> with
> sis_link
> [sis_link]
> Sun Jul 23 10:14:46 2006: DEBUG: Radius::AuthLDAP2 REJECT: Bad
> Password:
> sis_lin
> k [sis_link]
> Sun Jul 23 10:14:46 2006: INFO: Connecting to 10.1.1.101:389
> Sun Jul 23 10:14:46 2006: INFO: Attempting to bind to LDAP server
> 10.1.1.101:389
>
> Sun Jul 23 10:14:46 2006: DEBUG: No entries for DEFAULT found in LDAP
> database
> Sun Jul 23 10:14:46 2006: DEBUG: AuthBy LDAP2 result: REJECT, Bad
> Password
> Sun Jul 23 10:14:46 2006: INFO: Access rejected for sis_link: Bad
> Password
> Sun Jul 23 10:14:46 2006: DEBUG: Packet dump:
> *** Sending to 10.1.7.143 port 3948 ....
> Code: Access-Reject
> Identifier: 0
> Authentic: 1153675030
> Attributes:
> Reply-Message = "Request Denied"
>
>
>
> I'd appreciate any suggestions that you all can offer.
>
> Bryan Woods
> Assistant System Administrator
> Pomona Unified School District
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list