(RADIATOR) Radiator authentication failing ( auth against an LDAP directory)
Hugh Irvine
hugh at open.com.au
Thu Mar 22 16:13:22 CST 2007
Ciao Giovanni -
Come va?
The only thing I can think of for the bad password is an incorrect
shared secret between your NAS equipment and Radiator.
And to suppress the second error "LDAP_NO_SUCH_OBJECT" you should add
"NoDefault" to your AuthBy LDAP2 clause.
regards
Hugh
On 23 Mar 2007, at 06:21, Giovanni Del Valle wrote:
> Sorry for late reply. Had to put out fire elsewhere. Please advise
>
>
> Giovanni
>
> =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2007.03.22 13:11:47
> =~=~=~=~=~=~=~=~=~=~=~=
> Thu Mar 22 13:11:37 2007: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 45640 ....
> Code: Access-Request
> Identifier: 7
> Authentic: 1234567890123456
> Attributes:
> User-Name = "gdelvalle"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password =
> "<127><148><182><202><240><186><160>*<210><203><161><136><17><155><0>)
> "
>
> Thu Mar 22 13:11:37 2007: DEBUG: Handling request with Handler
> 'Realm=gev.net'
> Thu Mar 22 13:11:37 2007: DEBUG: Rewrote user name to
> gdelvalle at gev.net
> Thu Mar 22 13:11:37 2007: DEBUG: Deleting session for gdelvalle,
> 203.63.154.1, 1234
> Thu Mar 22 13:11:37 2007: DEBUG: Handling with Radius::AuthLDAP2
> Thu Mar 22 13:11:37 2007: DEBUG: Attempting to bind with
> uid=optigold,ou=SMI Directory Administrators, *admin_password*
> Net::LDAP=HASH(0x62fac8) sending:
>
> 30 42 02 01 2F 60 3D 02 01 03 04 2C 75 69 64 3D 0B../`=....,uid=
> 6F 70 74 69 67 6F 6C 64 2C 6F 75 3D 53 4D 49 20 optigold,ou=SMI
> 44 69 72 65 63 74 6F 72 79 20 41 64 6D 69 6E 69 Directory Admini
> 73 74 72 61 74 6F 72 73 80 0A 33 72 31 63 40 6C strators..*admin
> 6C 6D 40 6E __ __ __ __ __ __ __ __ __ __ __ __ _password*
>
> 0000 66: SEQUENCE {
> 0002 1: INTEGER = 47
> 0005 61: [APPLICATION 0] {
> 0007 1: INTEGER = 3
> 000A 44: STRING = 'uid=optigold,ou=SMI Directory Administrators'
> 0038 10: [CONTEXT 0]
> 003A : 33 72 31 63 40 6C 6C 6D 40 6E __ __ __ __ __ __
> *admin_password*
> 0044 : }
> 0044 : }
> Net::LDAP=HASH(0x62fac8) received:
>
> 30 0C 02 01 2F 61 07 0A 01 00 04 00 04 00 __ __ 0.../a........
>
> 0000 12: SEQUENCE {
> 0002 1: INTEGER = 47
> 0005 7: [APPLICATION 1] {
> 0007 1: ENUM = 0
> 000A 0: STRING = ''
> 000C 0: STRING = ''
> 000E : }
> 000E : }
> Net::LDAP=HASH(0x62fac8) sending:
>
> 30 81 8C 02 01 30 63 81 86 04 3C 6D 61 69 6C 52 0....0c...<mailR
> 6F 75 74 69 6E 67 41 64 64 72 65 73 73 3D 67 64 outingAddress=gd
> 65 6C 76 61 6C 6C 65 40 62 74 6C 2E 6E 65 74 2C elvalle at gev.net,
> 6F 75 3D 50 65 6F 70 6C 65 2C 64 63 3D 62 74 6C ou=People,dc=gev
> 2C 64 63 3D 6E 65 74 0A 01 00 0A 01 02 02 01 00 ,dc=net.........
> 02 01 00 01 01 00 A3 27 04 12 6D 61 69 6C 52 6F .......'..mailRo
> 75 74 69 6E 67 41 64 64 72 65 73 73 04 11 67 64 utingAddress..gd
> 65 6C 76 61 6C 6C 65 40 62 74 6C 2E 6E 65 74 30 elvalle at gev.net0
> 0E 04 0C 75 73 65 72 50 61 73 73 77 6F 72 64 __ ...userPassword
>
> 0000 140: SEQUENCE {
> 0003 1: INTEGER = 48
> 0006 134: [APPLICATION 3] {
> 0009 60: STRING =
> 'mailRoutingAddress=gdelvalle at gev.net,ou=People,dc=gev,dc=net'
> 0047 1: ENUM = 0
> 004A 1: ENUM = 2
> 004D 1: INTEGER = 0
> 0050 1: INTEGER = 0
> 0053 1: BOOLEAN = FALSE
> 0056 39: [CONTEXT 3] {
> 0058 18: STRING = 'mailRoutingAddress'
> 006C 17: STRING = 'gdelvalle at gev.net'
> 007F : }
> 007F 14: SEQUENCE {
> 0081 12: STRING = 'userPassword'
> 008F : }
> 008F : }
> 008F : }
> Net::LDAP=HASH(0x62fac8) received:
>
> 30 6D 02 01 30 64 68 04 3C 6D 61 69 6C 52 6F 75 0m..0dh.<mailRou
> 74 69 6E 67 41 64 64 72 65 73 73 3D 67 64 65 6C tingAddress=gdel
> 76 61 6C 6C 65 40 62 74 6C 2E 6E 65 74 2C 6F 75 valle at gev.net,ou
> 3D 50 65 6F 70 6C 65 2C 64 63 3D 62 74 6C 2C 64 =People,dc=gev,d
> 63 3D 6E 65 74 30 28 30 26 04 0C 75 73 65 72 50 c=net0(0&..userP
> 61 73 73 77 6F 72 64 31 16 04 14 7B 43 52 59 50 assword1...{CRYP
> 54 7D 4C 34 73 6E 57 72 6E 5A 69 39 77 66 55 __ T}L4snWrnZi9wfU
>
> 0000 109: SEQUENCE {
> 0002 1: INTEGER = 48
> 0005 104: [APPLICATION 4] {
> 0007 60: STRING =
> 'mailRoutingAddress=gdelvalle at gev.net,ou=People,dc=gev,dc=net'
> 0045 40: SEQUENCE {
> 0047 38: SEQUENCE {
> 0049 12: STRING = 'userPassword'
> 0057 22: SET {
> 0059 20: STRING = '{CRYPT}L4snWrnZi9wfU'
> 006F : }
> 006F : }
> 006F : }
> 006F : }
> 006F : }
> Net::LDAP=HASH(0x62fac8) received:
>
> 30 0C 02 01 30 65 07 0A 01 00 04 00 04 00 __ __ 0...0e........
>
> 0000 12: SEQUENCE {
> 0002 1: INTEGER = 48
> 0005 7: [APPLICATION 5] {
> 0007 1: ENUM = 0
> 000A 0: STRING = ''
> 000C 0: STRING = ''
> 000E : }
> 000E : }
> Thu Mar 22 13:11:37 2007: DEBUG: LDAP got result for
> mailRoutingAddress=gdelvalle at gev.net,ou=People,dc=gev,dc=net
> Thu Mar 22 13:11:37 2007: DEBUG: LDAP got userPassword: {CRYPT}
> L4snWrnZi9wfU
> Thu Mar 22 13:11:37 2007: DEBUG: Radius::AuthLDAP2 looks for match
> with gdelvalle at gev.net
> Thu Mar 22 13:11:37 2007: DEBUG: Radius::AuthLDAP2 REJECT: Bad
> Password
> Thu Mar 22 13:11:37 2007: DEBUG: Connecting to toucan.gev.net, port
> 389
> Thu Mar 22 13:11:37 2007: DEBUG: Attempting to bind with
> uid=optigold,ou=SMI Directory Administrators, *admin_password*
> Net::LDAP=HASH(0x6787e0) sending:
>
> 30 42 02 01 31 60 3D 02 01 03 04 2C 75 69 64 3D 0B..1`=....,uid=
> 6F 70 74 69 67 6F 6C 64 2C 6F 75 3D 53 4D 49 20 optigold,ou=SMI
> 44 69 72 65 63 74 6F 72 79 20 41 64 6D 69 6E 69 Directory Admini
> 73 74 72 61 74 6F 72 73 80 0A 33 72 31 63 40 6C strators..*admin
> 6C 6D 40 6E __ __ __ __ __ __ __ __ __ __ __ __ _password
>
> 0000 66: SEQUENCE {
> 0002 1: INTEGER = 49
> 0005 61: [APPLICATION 0] {
> 0007 1: INTEGER = 3
> 000A 44: STRING = 'uid=optigold,ou=SMI Directory Administrators'
> 0038 10: [CONTEXT 0]
> 003A : 33 72 31 63 40 6C 6C 6D 40 6E __ __ __ __ __ __
> *admin_password*
> 0044 : }
> 0044 : }
> Net::LDAP=HASH(0x6787e0) received:
>
> 30 0C 02 01 31 61 07 0A 01 00 04 00 04 00 __ __ 0...1a........
>
> 0000 12: SEQUENCE {
> 0002 1: INTEGER = 49
> 0005 7: [APPLICATION 1] {
> 0007 1: ENUM = 0
> 000A 0: STRING = ''
> 000C 0: STRING = ''
> 000E : }
> 000E : }
> Net::LDAP=HASH(0x6787e0) sending:
>
> 30 77 02 01 32 63 72 04 32 6D 61 69 6C 52 6F 75 0w..2cr.2mailRou
> 74 69 6E 67 41 64 64 72 65 73 73 3D 44 45 46 41 tingAddress=DEFA
> 55 4C 54 2C 6F 75 3D 50 65 6F 70 6C 65 2C 64 63 ULT,ou=People,dc
> 3D 62 74 6C 2C 64 63 3D 6E 65 74 0A 01 00 0A 01 =gev,dc=net.....
> 02 02 01 00 02 01 00 01 01 00 A3 1D 04 12 6D 61 ..............ma
> 69 6C 52 6F 75 74 69 6E 67 41 64 64 72 65 73 73 ilRoutingAddress
> 04 07 44 45 46 41 55 4C 54 30 0E 04 0C 75 73 65 ..DEFAULT0...use
> 72 50 61 73 73 77 6F 72 64 __ __ __ __ __ __ __ rPassword
>
> 0000 119: SEQUENCE {
> 0002 1: INTEGER = 50
> 0005 114: [APPLICATION 3] {
> 0007 50: STRING =
> 'mailRoutingAddress=DEFAULT,ou=People,dc=gev,dc=net'
> 003B 1: ENUM = 0
> 003E 1: ENUM = 2
> 0041 1: INTEGER = 0
> 0044 1: INTEGER = 0
> 0047 1: BOOLEAN = FALSE
> 004A 29: [CONTEXT 3] {
> 004C 18: STRING = 'mailRoutingAddress'
> 0060 7: STRING = 'DEFAULT'
> 0069 : }
> 0069 14: SEQUENCE {
> 006B 12: STRING = 'userPassword'
> 0079 : }
> 0079 : }
> 0079 : }
> Net::LDAP=HASH(0x6787e0) received:
>
> 30 23 02 01 32 65 1E 0A 01 20 04 17 6F 75 3D 50 0#..2e... ..ou=P
> 65 6F 70 6C 65 2C 64 63 3D 62 74 6C 2C 64 63 3D eople,dc=gev,dc=
> 6E 65 74 04 00 __ __ __ __ __ __ __ __ __ __ __ net..
>
> 0000 35: SEQUENCE {
> 0002 1: INTEGER = 50
> 0005 30: [APPLICATION 5] {
> 0007 1: ENUM = 32
> 000A 23: STRING = 'ou=People,dc=gev,dc=net'
> 0023 0: STRING = ''
> 0025 : }
> 0025 : }
> Thu Mar 22 13:11:37 2007: ERR: ldap search failed with error
> LDAP_NO_SUCH_OBJECT.
> Thu Mar 22 13:11:37 2007: INFO: Access rejected for
> gdelvalle at gev.net: Bad Password
> Thu Mar 22 13:11:37 2007: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 45640 ....
> Code: Access-Reject
> Identifier: 7
> Authentic: 1234567890123456
> Attributes:
> Reply-Message = "Bad Password"
>
>
>
>
>
> Hugh Irvine wrote:
>>
>> Hello Giovanni -
>>
>> I will need to see a trace 4 debug from Radiator showing what is
>> happening, including the LDAP debug which can be set with Debug
>> 255 in the AuthBy LDAP2 clause.
>>
>> You also don't need the AuthAttrDef in your configuration file, as
>> it is the PasswordAttr definition that is used to check the password.
>>
>> Your configuration file should look something like this:
>>
>> .....
>>
>> Trace 4
>>
>> .......
>>
>>
>> <Realm gev.net>
>>
>> AcctLogFileName %L/ldap/detail
>> PasswordLogFileName %L/ldap/password.log
>>
>> <AuthBy LDAP2>
>>
>> Debug 255
>>
>> Host ldap.gev.net
>> Port 389
>> # Log in to LDAP as admin
>> AuthDN uid=smadmin,ou=SMI Directory Administrators
>>
>> # log in to LDAP with password adminpassword
>>
>> AuthPassword *omitted*
>>
>> BaseDN %0=%1,ou=People,dc=gev,dc=net
>> Scope base
>>
>> # this is the atrtibute for username
>> UsernameAttr mailRoutingAddress
>>
>> # this attribute is for passwords
>> # EncryptedPasswordAttr userPassword
>> PasswordAttr userPassword
>>
>> </Authby>
>>
>> </Realm gev.net>
>>
>>
>> regards
>>
>> Hugh
>>
>>
>> On 21 Mar 2007, at 05:31, Giovanni Del Valle wrote:
>>
>>>
>>> I am having trouble getting radius server to authenticate
>>> against LDAP server.
>>> My username is gdelvalle at gev.net
>>> My password is test123
>>> I've read the manual but can;t make any head way. Just to check
>>> binding and searching I successfully had radius auth against
>>> mailRoutingAddress. ( in other words, once the email address
>>> existed teest would pass.
>>> I have excerpts of all my files below. I know that the ldap
>>> server responds with a crypt variant of my cleartest password
>>> test123
>>> crypt(test123,L4) => L4snWrnZi9wfU
>>>
>>> So why does it fail??
>>>
>>> Please help.
>>> Giovanni
>>> Assistant System Adminitrator
>>> -----------------------
>>>
>>> radius logfile gives me this: ERR: ldap search failed with error
>>> LDAP_NO_SUCH_OBJECT.
>>> password.log gives me this: Tue Mar 20 11:50:43
>>> 2007:1174413043:gdelvalle at gev.net:test123:{CRYPT}L4snWrnZi9wfU:FAIL
>>>
>>> <Realm gev.net>
>>> AcctLogFileName %L/ldap/detail
>>> PasswordLogFileName %L/ldap/password.log
>>>
>>> <AuthBy LDAP2>
>>>
>>> Host ldap.gev.net
>>> Port 389
>>> # Log in to LDAP as admin
>>> AuthDN uid=smadmin,ou=SMI Directory Administrators
>>>
>>> # log in to LDAP with password adminpassword
>>>
>>> AuthPassword *omitted*
>>>
>>> BaseDN %0=%1,ou=People,dc=gev,dc=net
>>> Scope base
>>>
>>> # this is the atrtibute for username
>>> UsernameAttr mailRoutingAddress
>>>
>>> # this attribute is for passwords
>>> # EncryptedPasswordAttr userPassword
>>> PasswordAttr userPassword
>>>
>>> # AuthAttrDef uid,User-Name,check
>>> AuthAttrDef userPassword,User-Password,check
>>> </Authby>
>>>
>>> </Realm gev.net>
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/
>> archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --Radiator: the most portable, flexible and configurable RADIUS
>> server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list