(RADIATOR) LDAP2 and Bad Password message

Woods, Bryan Bryan.Woods at pomona.k12.ca.us
Mon Jul 24 10:30:51 CDT 2006


Hugh,

Thanks for the speedy response.  You are absolutely correct.  When I
manually clipped the "{crypt}" from the front of the "userPassword"
attribute, I was able to authenticate.  I would assume that if I were to go
with this on a production-basis I would be advised to use a "post search
hook" process to strip off those seven characters before checking the
password.

Now that I've proven that basic RADIUS authentication works properly against
my LDAP, I'll need to looking into making it work with LEAP.  If I
understand the docs correctly I'll have to use the "ntpassword" in order for
the EAP information to be properly handled, right?

Bryan

> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au] 
> Sent: Sunday, July 23, 2006 5:54 PM
> To: Woods, Bryan
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) LDAP2 and Bad Password message
> 
> 
> Hello Bryan -
> 
> It looks to me like the userPassword field contains a strange 
> password string:
> 
> > Sun Jul 23 10:14:46 2006: DEBUG: LDAP got userPassword:
> > {crypt}$1$lS$X2L/zp7xWYq
> > Ya44c35ErZ.
> 
> Normally the "{crypt}" prefix indicates UNIX crypt, while the "$!$"  
> prefix indicates Linux MD5.
> 
> As this password contains both prefixes, Radiator is getting confused.
> 
> You say that the userPassword field contains Linux MD5 
> passwords, therefore you will need to remove the "{crypt}" prefixes.
> 
> See section 12.1.1 in the Radiator 3.15 reference manual 
> ("doc/ ref.html").
> 
> BTW - for a new installation you might consider using 
> ActivePerl 5.8 (latest is 5.8.8.817).
> 
> hope that helps
> 
> regards
> 
> Hugh
> 
> 
> On 24 Jul 2006, at 03:30, Woods, Bryan wrote:
> 
> > Hello group,
> >
> > I'm having problems getting RADIATOR to authenticate (using AuthBy
> > LDAP2)
> > against my openLDAP server.  The message that I'm getting is
> > "AuthLDAP2
> > REJECT: Bad Password".  Here are some of the specifics unique to my
> > installation:
> >
> > 1.  LDAP allows anonymous (read only) binds.
> > 2.  The user accounts cannot bind to the server (only an 
> admin account 
> > can do that).
> > 3.  Two hashes of the same password are stored for each user, a 
> > standard linux MD5 (stored in 'userPassword'), and an NT 
> hash (copied 
> > from the 'smbpasswd' file and stored in 'ntPassword').
> > 4.  Eventually I'll want to use the ntPassword for 
> authentication as I 
> > need to enable LEAP, but I've been unsuccessful in even 
> getting simple 
> > authentication working.
> > 5.  RADIATOR 3.15 is running on a Windows 2K Server box under 
> > ActiveState Perl 5.6 6.  In my example below, I've used a 
> user account 
> > "sis_link" with a password of "sislink321".
> >
> > Here's what my config file looks like:
> >
> > ====
> > ==== config file  ===
> >
> > # ldap.cfg
> > #
> > Foreground
> > LogStdout
> > LogDir		c:/Program Files/Radiator
> > DbDir		c:/Program Files/Radiator
> > Trace		4
> > <Client DEFAULT>
> > 	Secret	mysecret
> > 	DupInterval 0
> > </Client>
> >
> > <Realm DEFAULT>
> > 	<AuthBy LDAP2>
> > 		Host		10.1.1.101
> > 		AuthDN		uid=gov,o=PUSD,c=US
> > 		AuthPassword	*****
> > 		BaseDN		o=PUSD,c=US
> > 		UsernameAttr	uid
> > 		PasswordAttr	userPassword
> > 		AddToReply Framed-Protocol = PPP,\
> >         		Framed-IP-Netmask = 255.255.255.255,\
> >         		Framed-Routing = None,\
> >         		Framed-MTU = 1500,\
> > 			Framed-Compression = Van-Jacobson-TCP-IP
> > 		Version 3
> > 	</AuthBy>
> > </Realm>
> >
> > === debug output ===
> > Sun Jul 23 10:14:46 2006: DEBUG: Packet dump:
> > *** Received from 10.1.7.143 port 3948 ....
> > Code:       Access-Request
> > Identifier: 0
> > Authentic:        1153675030
> > Attributes:
> >         User-Name = "sis_link"
> >         User-Password =
> > 7<146>9<143><185><181><174><226><217>{<198>y<128><234><1
> > 59><31>
> >
> > Sun Jul 23 10:14:46 2006: DEBUG: Handling request with Handler 
> > 'Realm=DEFAULT'
> > Sun Jul 23 10:14:46 2006: DEBUG:  Deleting session for sis_link, 
> > 10.1.7.143, Sun Jul 23 10:14:46 2006: DEBUG: Handling with 
> > Radius::AuthLDAP2:
> > Sun Jul 23 10:14:46 2006: INFO: Connecting to 
> 10.1.1.101:389 Sun Jul 
> > 23 10:14:46 2006: INFO: Attempting to bind to LDAP server
> > 10.1.1.101:389
> >
> > Sun Jul 23 10:14:46 2006: DEBUG: LDAP got result for 
> > uid=sis_link,ou=Information  Technology Services,ou=Education 
> > Center,o=PUSD,c=US Sun Jul 23 10:14:46 2006: DEBUG: LDAP got 
> > userPassword:
> > {crypt}$1$lS$X2L/zp7xWYq
> > Ya44c35ErZ.
> > Sun Jul 23 10:14:46 2006: DEBUG: Radius::AuthLDAP2 looks for match 
> > with sis_link  [sis_link] Sun Jul 23 10:14:46 2006: DEBUG: 
> > Radius::AuthLDAP2 REJECT: Bad
> > Password:
> > sis_lin
> > k [sis_link]
> > Sun Jul 23 10:14:46 2006: INFO: Connecting to 
> 10.1.1.101:389 Sun Jul 
> > 23 10:14:46 2006: INFO: Attempting to bind to LDAP server
> > 10.1.1.101:389
> >
> > Sun Jul 23 10:14:46 2006: DEBUG: No entries for DEFAULT 
> found in LDAP 
> > database Sun Jul 23 10:14:46 2006: DEBUG: AuthBy LDAP2 
> result: REJECT, 
> > Bad Password Sun Jul 23 10:14:46 2006: INFO: Access rejected for 
> > sis_link: Bad Password Sun Jul 23 10:14:46 2006: DEBUG: Packet dump:
> > *** Sending to 10.1.7.143 port 3948 ....
> > Code:       Access-Reject
> > Identifier: 0
> > Authentic:        1153675030
> > Attributes:
> >         Reply-Message = "Request Denied"
> >
> >
> >
> > I'd appreciate any suggestions that you all can offer.
> >
> > Bryan Woods
> > Assistant System Administrator
> > Pomona Unified School District
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au To 
> unsubscribe, email 
> > 'majordomo at open.com.au' with 'unsubscribe radiator' in the 
> body of the 
> > message.
> 
> 
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/ radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no 
> secrets), together with a trace 4 debug showing what is happening?
> 
> --
> Radiator: the most portable, flexible and configurable RADIUS 
> server anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec), and 
> DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, 
> extensible, flexible with hardware, software, platform and 
> database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 
> 

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list