(RADIATOR) Radiator authentication failing ( auth against an LDAP directory)

Giovanni Del Valle gdelvalle at btl.net
Thu Mar 22 13:21:07 CST 2007


Sorry for late reply.  Had to  put out fire elsewhere.  Please advise


Giovanni

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2007.03.22 13:11:47 
=~=~=~=~=~=~=~=~=~=~=~=
Thu Mar 22 13:11:37 2007: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 45640 ....
Code:       Access-Request
Identifier: 7
Authentic:  1234567890123456
Attributes:
        User-Name = "gdelvalle"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = 
"<127><148><182><202><240><186><160>*<210><203><161><136><17><155><0>)"

Thu Mar 22 13:11:37 2007: DEBUG: Handling request with Handler 
'Realm=gev.net'
Thu Mar 22 13:11:37 2007: DEBUG: Rewrote user name to gdelvalle at gev.net
Thu Mar 22 13:11:37 2007: DEBUG:  Deleting session for gdelvalle, 
203.63.154.1, 1234
Thu Mar 22 13:11:37 2007: DEBUG: Handling with Radius::AuthLDAP2
Thu Mar 22 13:11:37 2007: DEBUG: Attempting to bind with 
uid=optigold,ou=SMI Directory Administrators, *admin_password*
Net::LDAP=HASH(0x62fac8) sending:

30 42 02 01 2F 60 3D 02 01 03 04 2C 75 69 64 3D 0B../`=....,uid=
6F 70 74 69 67 6F 6C 64 2C 6F 75 3D 53 4D 49 20 optigold,ou=SMI
44 69 72 65 63 74 6F 72 79 20 41 64 6D 69 6E 69 Directory Admini
73 74 72 61 74 6F 72 73 80 0A 33 72 31 63 40 6C strators..*admin
6C 6D 40 6E __ __ __ __ __ __ __ __ __ __ __ __ _password*

0000   66: SEQUENCE {
0002    1:   INTEGER = 47
0005   61:   [APPLICATION 0] {
0007    1:     INTEGER = 3
000A   44:     STRING = 'uid=optigold,ou=SMI Directory Administrators'
0038   10:     [CONTEXT 0]
003A     :       33 72 31 63 40 6C 6C 6D 40 6E __ __ __ __ __ __ 
*admin_password*
0044     :   }
0044     : }
Net::LDAP=HASH(0x62fac8) received:

30 0C 02 01 2F 61 07 0A 01 00 04 00 04 00 __ __ 0.../a........

0000   12: SEQUENCE {
0002    1:   INTEGER = 47
0005    7:   [APPLICATION 1] {
0007    1:     ENUM = 0
000A    0:     STRING = ''
000C    0:     STRING = ''
000E     :   }
000E     : }
Net::LDAP=HASH(0x62fac8) sending:

30 81 8C 02 01 30 63 81 86 04 3C 6D 61 69 6C 52 0....0c...<mailR
6F 75 74 69 6E 67 41 64 64 72 65 73 73 3D 67 64 outingAddress=gd
65 6C 76 61 6C 6C 65 40 62 74 6C 2E 6E 65 74 2C elvalle at gev.net,
6F 75 3D 50 65 6F 70 6C 65 2C 64 63 3D 62 74 6C ou=People,dc=gev
2C 64 63 3D 6E 65 74 0A 01 00 0A 01 02 02 01 00 ,dc=net.........
02 01 00 01 01 00 A3 27 04 12 6D 61 69 6C 52 6F .......'..mailRo
75 74 69 6E 67 41 64 64 72 65 73 73 04 11 67 64 utingAddress..gd
65 6C 76 61 6C 6C 65 40 62 74 6C 2E 6E 65 74 30 elvalle at gev.net0
0E 04 0C 75 73 65 72 50 61 73 73 77 6F 72 64 __ ...userPassword

0000  140: SEQUENCE {
0003    1:   INTEGER = 48
0006  134:   [APPLICATION 3] {
0009   60:     STRING = 
'mailRoutingAddress=gdelvalle at gev.net,ou=People,dc=gev,dc=net'
0047    1:     ENUM = 0
004A    1:     ENUM = 2
004D    1:     INTEGER = 0
0050    1:     INTEGER = 0
0053    1:     BOOLEAN = FALSE
0056   39:     [CONTEXT 3] {
0058   18:       STRING = 'mailRoutingAddress'
006C   17:       STRING = 'gdelvalle at gev.net'
007F     :     }
007F   14:     SEQUENCE {
0081   12:       STRING = 'userPassword'
008F     :     }
008F     :   }
008F     : }
Net::LDAP=HASH(0x62fac8) received:

30 6D 02 01 30 64 68 04 3C 6D 61 69 6C 52 6F 75 0m..0dh.<mailRou
74 69 6E 67 41 64 64 72 65 73 73 3D 67 64 65 6C tingAddress=gdel
76 61 6C 6C 65 40 62 74 6C 2E 6E 65 74 2C 6F 75 valle at gev.net,ou
3D 50 65 6F 70 6C 65 2C 64 63 3D 62 74 6C 2C 64 =People,dc=gev,d
63 3D 6E 65 74 30 28 30 26 04 0C 75 73 65 72 50 c=net0(0&..userP
61 73 73 77 6F 72 64 31 16 04 14 7B 43 52 59 50 assword1...{CRYP
54 7D 4C 34 73 6E 57 72 6E 5A 69 39 77 66 55 __ T}L4snWrnZi9wfU

0000  109: SEQUENCE {
0002    1:   INTEGER = 48
0005  104:   [APPLICATION 4] {
0007   60:     STRING = 
'mailRoutingAddress=gdelvalle at gev.net,ou=People,dc=gev,dc=net'
0045   40:     SEQUENCE {
0047   38:       SEQUENCE {
0049   12:         STRING = 'userPassword'
0057   22:         SET {
0059   20:           STRING = '{CRYPT}L4snWrnZi9wfU'
006F     :         }
006F     :       }
006F     :     }
006F     :   }
006F     : }
Net::LDAP=HASH(0x62fac8) received:

30 0C 02 01 30 65 07 0A 01 00 04 00 04 00 __ __ 0...0e........

0000   12: SEQUENCE {
0002    1:   INTEGER = 48
0005    7:   [APPLICATION 5] {
0007    1:     ENUM = 0
000A    0:     STRING = ''
000C    0:     STRING = ''
000E     :   }
000E     : }
Thu Mar 22 13:11:37 2007: DEBUG: LDAP got result for 
mailRoutingAddress=gdelvalle at gev.net,ou=People,dc=gev,dc=net
Thu Mar 22 13:11:37 2007: DEBUG: LDAP got userPassword: {CRYPT}L4snWrnZi9wfU
Thu Mar 22 13:11:37 2007: DEBUG: Radius::AuthLDAP2 looks for match with 
gdelvalle at gev.net
Thu Mar 22 13:11:37 2007: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Thu Mar 22 13:11:37 2007: DEBUG: Connecting to toucan.gev.net, port 389
Thu Mar 22 13:11:37 2007: DEBUG: Attempting to bind with 
uid=optigold,ou=SMI Directory Administrators, *admin_password*
Net::LDAP=HASH(0x6787e0) sending:

30 42 02 01 31 60 3D 02 01 03 04 2C 75 69 64 3D 0B..1`=....,uid=
6F 70 74 69 67 6F 6C 64 2C 6F 75 3D 53 4D 49 20 optigold,ou=SMI
44 69 72 65 63 74 6F 72 79 20 41 64 6D 69 6E 69 Directory Admini
73 74 72 61 74 6F 72 73 80 0A 33 72 31 63 40 6C strators..*admin
6C 6D 40 6E __ __ __ __ __ __ __ __ __ __ __ __ _password

0000   66: SEQUENCE {
0002    1:   INTEGER = 49
0005   61:   [APPLICATION 0] {
0007    1:     INTEGER = 3
000A   44:     STRING = 'uid=optigold,ou=SMI Directory Administrators'
0038   10:     [CONTEXT 0]
003A     :       33 72 31 63 40 6C 6C 6D 40 6E __ __ __ __ __ __ 
*admin_password*
0044     :   }
0044     : }
Net::LDAP=HASH(0x6787e0) received:

30 0C 02 01 31 61 07 0A 01 00 04 00 04 00 __ __ 0...1a........

0000   12: SEQUENCE {
0002    1:   INTEGER = 49
0005    7:   [APPLICATION 1] {
0007    1:     ENUM = 0
000A    0:     STRING = ''
000C    0:     STRING = ''
000E     :   }
000E     : }
Net::LDAP=HASH(0x6787e0) sending:

30 77 02 01 32 63 72 04 32 6D 61 69 6C 52 6F 75 0w..2cr.2mailRou
74 69 6E 67 41 64 64 72 65 73 73 3D 44 45 46 41 tingAddress=DEFA
55 4C 54 2C 6F 75 3D 50 65 6F 70 6C 65 2C 64 63 ULT,ou=People,dc
3D 62 74 6C 2C 64 63 3D 6E 65 74 0A 01 00 0A 01 =gev,dc=net.....
02 02 01 00 02 01 00 01 01 00 A3 1D 04 12 6D 61 ..............ma
69 6C 52 6F 75 74 69 6E 67 41 64 64 72 65 73 73 ilRoutingAddress
04 07 44 45 46 41 55 4C 54 30 0E 04 0C 75 73 65 ..DEFAULT0...use
72 50 61 73 73 77 6F 72 64 __ __ __ __ __ __ __ rPassword

0000  119: SEQUENCE {
0002    1:   INTEGER = 50
0005  114:   [APPLICATION 3] {
0007   50:     STRING = 'mailRoutingAddress=DEFAULT,ou=People,dc=gev,dc=net'
003B    1:     ENUM = 0
003E    1:     ENUM = 2
0041    1:     INTEGER = 0
0044    1:     INTEGER = 0
0047    1:     BOOLEAN = FALSE
004A   29:     [CONTEXT 3] {
004C   18:       STRING = 'mailRoutingAddress'
0060    7:       STRING = 'DEFAULT'
0069     :     }
0069   14:     SEQUENCE {
006B   12:       STRING = 'userPassword'
0079     :     }
0079     :   }
0079     : }
Net::LDAP=HASH(0x6787e0) received:

30 23 02 01 32 65 1E 0A 01 20 04 17 6F 75 3D 50 0#..2e... ..ou=P
65 6F 70 6C 65 2C 64 63 3D 62 74 6C 2C 64 63 3D eople,dc=gev,dc=
6E 65 74 04 00 __ __ __ __ __ __ __ __ __ __ __ net..

0000   35: SEQUENCE {
0002    1:   INTEGER = 50
0005   30:   [APPLICATION 5] {
0007    1:     ENUM = 32
000A   23:     STRING = 'ou=People,dc=gev,dc=net'
0023    0:     STRING = ''
0025     :   }
0025     : }
Thu Mar 22 13:11:37 2007: ERR: ldap search failed with error 
LDAP_NO_SUCH_OBJECT.
Thu Mar 22 13:11:37 2007: INFO: Access rejected for gdelvalle at gev.net: 
Bad Password
Thu Mar 22 13:11:37 2007: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 45640 ....
Code:       Access-Reject
Identifier: 7
Authentic:  1234567890123456
Attributes:
        Reply-Message = "Bad Password"





Hugh Irvine wrote:
>
> Hello Giovanni -
>
> I will need to see a trace 4 debug from Radiator showing what is 
> happening, including the LDAP debug which can be set with Debug 255 in 
> the AuthBy LDAP2 clause.
>
> You also don't need the AuthAttrDef in your configuration file, as it 
> is the PasswordAttr definition that is used to check the password.
>
> Your configuration file should look something like this:
>
> .....
>
> Trace 4
>
> .......
>
>
> <Realm gev.net>
>
>  AcctLogFileName %L/ldap/detail
>  PasswordLogFileName %L/ldap/password.log
>
>  <AuthBy LDAP2>
>
>    Debug 255
>
>    Host ldap.gev.net
>    Port 389
>    # Log in to LDAP as admin
>    AuthDN uid=smadmin,ou=SMI Directory Administrators
>
>    # log in to LDAP with password adminpassword
>
>    AuthPassword *omitted*
>
>    BaseDN     %0=%1,ou=People,dc=gev,dc=net
>    Scope       base
>
>    # this is the atrtibute for username
>    UsernameAttr mailRoutingAddress
>
>    # this attribute is for passwords
>   # EncryptedPasswordAttr userPassword
>   PasswordAttr userPassword
>
>  </Authby>
>
> </Realm gev.net>
>
>
> regards
>
> Hugh
>
>
> On 21 Mar 2007, at 05:31, Giovanni Del Valle wrote:
>
>>
>> I  am having trouble getting radius server to authenticate against 
>> LDAP server.
>> My username is gdelvalle at gev.net
>> My password is test123
>> I've read the manual but can;t make any head way.  Just to check 
>> binding and searching I successfully had radius auth against 
>> mailRoutingAddress.  ( in other words, once the email address 
>> existed  teest would pass.
>> I have excerpts of all my files below.  I know that the ldap server 
>> responds with  a crypt  variant of my cleartest password test123
>>   crypt(test123,L4) => L4snWrnZi9wfU
>>
>> So why does it fail??
>>
>> Please help.
>> Giovanni
>> Assistant System Adminitrator
>> -----------------------
>>
>> radius logfile gives me this:  ERR: ldap search failed with error 
>> LDAP_NO_SUCH_OBJECT.
>> password.log gives me this: Tue Mar 20 11:50:43 
>> 2007:1174413043:gdelvalle at gev.net:test123:{CRYPT}L4snWrnZi9wfU:FAIL
>>
>> <Realm gev.net>
>>  AcctLogFileName %L/ldap/detail
>>  PasswordLogFileName %L/ldap/password.log
>>
>>  <AuthBy LDAP2>
>>
>>    Host ldap.gev.net
>>    Port 389
>>    # Log in to LDAP as admin
>>    AuthDN uid=smadmin,ou=SMI Directory Administrators
>>
>>    # log in to LDAP with password adminpassword
>>
>>    AuthPassword *omitted*
>>
>>    BaseDN     %0=%1,ou=People,dc=gev,dc=net
>>    Scope       base
>>
>>    # this is the atrtibute for username
>>    UsernameAttr mailRoutingAddress
>>
>>    # this attribute is for passwords
>>   # EncryptedPasswordAttr userPassword
>>   PasswordAttr userPassword
>>
>>   # AuthAttrDef uid,User-Name,check
>>    AuthAttrDef userPassword,User-Password,check
>>  </Authby>
>>
>> </Realm gev.net>
>>
>>
>> -- 
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> -- 
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list