(RADIATOR) Radiator authentication failing ( auth against an LDAP directory)
Giovanni Del Valle
gdelvalle at btl.net
Thu Mar 22 13:21:07 CST 2007
Sorry for late reply. Had to put out fire elsewhere. Please advise
Giovanni
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2007.03.22 13:11:47
=~=~=~=~=~=~=~=~=~=~=~=
Thu Mar 22 13:11:37 2007: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 45640 ....
Code: Access-Request
Identifier: 7
Authentic: 1234567890123456
Attributes:
User-Name = "gdelvalle"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
"<127><148><182><202><240><186><160>*<210><203><161><136><17><155><0>)"
Thu Mar 22 13:11:37 2007: DEBUG: Handling request with Handler
'Realm=gev.net'
Thu Mar 22 13:11:37 2007: DEBUG: Rewrote user name to gdelvalle at gev.net
Thu Mar 22 13:11:37 2007: DEBUG: Deleting session for gdelvalle,
203.63.154.1, 1234
Thu Mar 22 13:11:37 2007: DEBUG: Handling with Radius::AuthLDAP2
Thu Mar 22 13:11:37 2007: DEBUG: Attempting to bind with
uid=optigold,ou=SMI Directory Administrators, *admin_password*
Net::LDAP=HASH(0x62fac8) sending:
30 42 02 01 2F 60 3D 02 01 03 04 2C 75 69 64 3D 0B../`=....,uid=
6F 70 74 69 67 6F 6C 64 2C 6F 75 3D 53 4D 49 20 optigold,ou=SMI
44 69 72 65 63 74 6F 72 79 20 41 64 6D 69 6E 69 Directory Admini
73 74 72 61 74 6F 72 73 80 0A 33 72 31 63 40 6C strators..*admin
6C 6D 40 6E __ __ __ __ __ __ __ __ __ __ __ __ _password*
0000 66: SEQUENCE {
0002 1: INTEGER = 47
0005 61: [APPLICATION 0] {
0007 1: INTEGER = 3
000A 44: STRING = 'uid=optigold,ou=SMI Directory Administrators'
0038 10: [CONTEXT 0]
003A : 33 72 31 63 40 6C 6C 6D 40 6E __ __ __ __ __ __
*admin_password*
0044 : }
0044 : }
Net::LDAP=HASH(0x62fac8) received:
30 0C 02 01 2F 61 07 0A 01 00 04 00 04 00 __ __ 0.../a........
0000 12: SEQUENCE {
0002 1: INTEGER = 47
0005 7: [APPLICATION 1] {
0007 1: ENUM = 0
000A 0: STRING = ''
000C 0: STRING = ''
000E : }
000E : }
Net::LDAP=HASH(0x62fac8) sending:
30 81 8C 02 01 30 63 81 86 04 3C 6D 61 69 6C 52 0....0c...<mailR
6F 75 74 69 6E 67 41 64 64 72 65 73 73 3D 67 64 outingAddress=gd
65 6C 76 61 6C 6C 65 40 62 74 6C 2E 6E 65 74 2C elvalle at gev.net,
6F 75 3D 50 65 6F 70 6C 65 2C 64 63 3D 62 74 6C ou=People,dc=gev
2C 64 63 3D 6E 65 74 0A 01 00 0A 01 02 02 01 00 ,dc=net.........
02 01 00 01 01 00 A3 27 04 12 6D 61 69 6C 52 6F .......'..mailRo
75 74 69 6E 67 41 64 64 72 65 73 73 04 11 67 64 utingAddress..gd
65 6C 76 61 6C 6C 65 40 62 74 6C 2E 6E 65 74 30 elvalle at gev.net0
0E 04 0C 75 73 65 72 50 61 73 73 77 6F 72 64 __ ...userPassword
0000 140: SEQUENCE {
0003 1: INTEGER = 48
0006 134: [APPLICATION 3] {
0009 60: STRING =
'mailRoutingAddress=gdelvalle at gev.net,ou=People,dc=gev,dc=net'
0047 1: ENUM = 0
004A 1: ENUM = 2
004D 1: INTEGER = 0
0050 1: INTEGER = 0
0053 1: BOOLEAN = FALSE
0056 39: [CONTEXT 3] {
0058 18: STRING = 'mailRoutingAddress'
006C 17: STRING = 'gdelvalle at gev.net'
007F : }
007F 14: SEQUENCE {
0081 12: STRING = 'userPassword'
008F : }
008F : }
008F : }
Net::LDAP=HASH(0x62fac8) received:
30 6D 02 01 30 64 68 04 3C 6D 61 69 6C 52 6F 75 0m..0dh.<mailRou
74 69 6E 67 41 64 64 72 65 73 73 3D 67 64 65 6C tingAddress=gdel
76 61 6C 6C 65 40 62 74 6C 2E 6E 65 74 2C 6F 75 valle at gev.net,ou
3D 50 65 6F 70 6C 65 2C 64 63 3D 62 74 6C 2C 64 =People,dc=gev,d
63 3D 6E 65 74 30 28 30 26 04 0C 75 73 65 72 50 c=net0(0&..userP
61 73 73 77 6F 72 64 31 16 04 14 7B 43 52 59 50 assword1...{CRYP
54 7D 4C 34 73 6E 57 72 6E 5A 69 39 77 66 55 __ T}L4snWrnZi9wfU
0000 109: SEQUENCE {
0002 1: INTEGER = 48
0005 104: [APPLICATION 4] {
0007 60: STRING =
'mailRoutingAddress=gdelvalle at gev.net,ou=People,dc=gev,dc=net'
0045 40: SEQUENCE {
0047 38: SEQUENCE {
0049 12: STRING = 'userPassword'
0057 22: SET {
0059 20: STRING = '{CRYPT}L4snWrnZi9wfU'
006F : }
006F : }
006F : }
006F : }
006F : }
Net::LDAP=HASH(0x62fac8) received:
30 0C 02 01 30 65 07 0A 01 00 04 00 04 00 __ __ 0...0e........
0000 12: SEQUENCE {
0002 1: INTEGER = 48
0005 7: [APPLICATION 5] {
0007 1: ENUM = 0
000A 0: STRING = ''
000C 0: STRING = ''
000E : }
000E : }
Thu Mar 22 13:11:37 2007: DEBUG: LDAP got result for
mailRoutingAddress=gdelvalle at gev.net,ou=People,dc=gev,dc=net
Thu Mar 22 13:11:37 2007: DEBUG: LDAP got userPassword: {CRYPT}L4snWrnZi9wfU
Thu Mar 22 13:11:37 2007: DEBUG: Radius::AuthLDAP2 looks for match with
gdelvalle at gev.net
Thu Mar 22 13:11:37 2007: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Thu Mar 22 13:11:37 2007: DEBUG: Connecting to toucan.gev.net, port 389
Thu Mar 22 13:11:37 2007: DEBUG: Attempting to bind with
uid=optigold,ou=SMI Directory Administrators, *admin_password*
Net::LDAP=HASH(0x6787e0) sending:
30 42 02 01 31 60 3D 02 01 03 04 2C 75 69 64 3D 0B..1`=....,uid=
6F 70 74 69 67 6F 6C 64 2C 6F 75 3D 53 4D 49 20 optigold,ou=SMI
44 69 72 65 63 74 6F 72 79 20 41 64 6D 69 6E 69 Directory Admini
73 74 72 61 74 6F 72 73 80 0A 33 72 31 63 40 6C strators..*admin
6C 6D 40 6E __ __ __ __ __ __ __ __ __ __ __ __ _password
0000 66: SEQUENCE {
0002 1: INTEGER = 49
0005 61: [APPLICATION 0] {
0007 1: INTEGER = 3
000A 44: STRING = 'uid=optigold,ou=SMI Directory Administrators'
0038 10: [CONTEXT 0]
003A : 33 72 31 63 40 6C 6C 6D 40 6E __ __ __ __ __ __
*admin_password*
0044 : }
0044 : }
Net::LDAP=HASH(0x6787e0) received:
30 0C 02 01 31 61 07 0A 01 00 04 00 04 00 __ __ 0...1a........
0000 12: SEQUENCE {
0002 1: INTEGER = 49
0005 7: [APPLICATION 1] {
0007 1: ENUM = 0
000A 0: STRING = ''
000C 0: STRING = ''
000E : }
000E : }
Net::LDAP=HASH(0x6787e0) sending:
30 77 02 01 32 63 72 04 32 6D 61 69 6C 52 6F 75 0w..2cr.2mailRou
74 69 6E 67 41 64 64 72 65 73 73 3D 44 45 46 41 tingAddress=DEFA
55 4C 54 2C 6F 75 3D 50 65 6F 70 6C 65 2C 64 63 ULT,ou=People,dc
3D 62 74 6C 2C 64 63 3D 6E 65 74 0A 01 00 0A 01 =gev,dc=net.....
02 02 01 00 02 01 00 01 01 00 A3 1D 04 12 6D 61 ..............ma
69 6C 52 6F 75 74 69 6E 67 41 64 64 72 65 73 73 ilRoutingAddress
04 07 44 45 46 41 55 4C 54 30 0E 04 0C 75 73 65 ..DEFAULT0...use
72 50 61 73 73 77 6F 72 64 __ __ __ __ __ __ __ rPassword
0000 119: SEQUENCE {
0002 1: INTEGER = 50
0005 114: [APPLICATION 3] {
0007 50: STRING = 'mailRoutingAddress=DEFAULT,ou=People,dc=gev,dc=net'
003B 1: ENUM = 0
003E 1: ENUM = 2
0041 1: INTEGER = 0
0044 1: INTEGER = 0
0047 1: BOOLEAN = FALSE
004A 29: [CONTEXT 3] {
004C 18: STRING = 'mailRoutingAddress'
0060 7: STRING = 'DEFAULT'
0069 : }
0069 14: SEQUENCE {
006B 12: STRING = 'userPassword'
0079 : }
0079 : }
0079 : }
Net::LDAP=HASH(0x6787e0) received:
30 23 02 01 32 65 1E 0A 01 20 04 17 6F 75 3D 50 0#..2e... ..ou=P
65 6F 70 6C 65 2C 64 63 3D 62 74 6C 2C 64 63 3D eople,dc=gev,dc=
6E 65 74 04 00 __ __ __ __ __ __ __ __ __ __ __ net..
0000 35: SEQUENCE {
0002 1: INTEGER = 50
0005 30: [APPLICATION 5] {
0007 1: ENUM = 32
000A 23: STRING = 'ou=People,dc=gev,dc=net'
0023 0: STRING = ''
0025 : }
0025 : }
Thu Mar 22 13:11:37 2007: ERR: ldap search failed with error
LDAP_NO_SUCH_OBJECT.
Thu Mar 22 13:11:37 2007: INFO: Access rejected for gdelvalle at gev.net:
Bad Password
Thu Mar 22 13:11:37 2007: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 45640 ....
Code: Access-Reject
Identifier: 7
Authentic: 1234567890123456
Attributes:
Reply-Message = "Bad Password"
Hugh Irvine wrote:
>
> Hello Giovanni -
>
> I will need to see a trace 4 debug from Radiator showing what is
> happening, including the LDAP debug which can be set with Debug 255 in
> the AuthBy LDAP2 clause.
>
> You also don't need the AuthAttrDef in your configuration file, as it
> is the PasswordAttr definition that is used to check the password.
>
> Your configuration file should look something like this:
>
> .....
>
> Trace 4
>
> .......
>
>
> <Realm gev.net>
>
> AcctLogFileName %L/ldap/detail
> PasswordLogFileName %L/ldap/password.log
>
> <AuthBy LDAP2>
>
> Debug 255
>
> Host ldap.gev.net
> Port 389
> # Log in to LDAP as admin
> AuthDN uid=smadmin,ou=SMI Directory Administrators
>
> # log in to LDAP with password adminpassword
>
> AuthPassword *omitted*
>
> BaseDN %0=%1,ou=People,dc=gev,dc=net
> Scope base
>
> # this is the atrtibute for username
> UsernameAttr mailRoutingAddress
>
> # this attribute is for passwords
> # EncryptedPasswordAttr userPassword
> PasswordAttr userPassword
>
> </Authby>
>
> </Realm gev.net>
>
>
> regards
>
> Hugh
>
>
> On 21 Mar 2007, at 05:31, Giovanni Del Valle wrote:
>
>>
>> I am having trouble getting radius server to authenticate against
>> LDAP server.
>> My username is gdelvalle at gev.net
>> My password is test123
>> I've read the manual but can;t make any head way. Just to check
>> binding and searching I successfully had radius auth against
>> mailRoutingAddress. ( in other words, once the email address
>> existed teest would pass.
>> I have excerpts of all my files below. I know that the ldap server
>> responds with a crypt variant of my cleartest password test123
>> crypt(test123,L4) => L4snWrnZi9wfU
>>
>> So why does it fail??
>>
>> Please help.
>> Giovanni
>> Assistant System Adminitrator
>> -----------------------
>>
>> radius logfile gives me this: ERR: ldap search failed with error
>> LDAP_NO_SUCH_OBJECT.
>> password.log gives me this: Tue Mar 20 11:50:43
>> 2007:1174413043:gdelvalle at gev.net:test123:{CRYPT}L4snWrnZi9wfU:FAIL
>>
>> <Realm gev.net>
>> AcctLogFileName %L/ldap/detail
>> PasswordLogFileName %L/ldap/password.log
>>
>> <AuthBy LDAP2>
>>
>> Host ldap.gev.net
>> Port 389
>> # Log in to LDAP as admin
>> AuthDN uid=smadmin,ou=SMI Directory Administrators
>>
>> # log in to LDAP with password adminpassword
>>
>> AuthPassword *omitted*
>>
>> BaseDN %0=%1,ou=People,dc=gev,dc=net
>> Scope base
>>
>> # this is the atrtibute for username
>> UsernameAttr mailRoutingAddress
>>
>> # this attribute is for passwords
>> # EncryptedPasswordAttr userPassword
>> PasswordAttr userPassword
>>
>> # AuthAttrDef uid,User-Name,check
>> AuthAttrDef userPassword,User-Password,check
>> </Authby>
>>
>> </Realm gev.net>
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list