(RADIATOR) Radiator authentication failing ( auth against an LDAP directory)

Hugh Irvine hugh at open.com.au
Thu Mar 22 16:13:22 CST 2007


Ciao Giovanni -

Come va?

The only thing I can think of for the bad password is an incorrect  
shared secret between your NAS equipment and Radiator.

And to suppress the second error "LDAP_NO_SUCH_OBJECT" you should add  
"NoDefault" to your AuthBy LDAP2 clause.

regards

Hugh


On 23 Mar 2007, at 06:21, Giovanni Del Valle wrote:

> Sorry for late reply.  Had to  put out fire elsewhere.  Please advise
>
>
> Giovanni
>
> =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2007.03.22 13:11:47  
> =~=~=~=~=~=~=~=~=~=~=~=
> Thu Mar 22 13:11:37 2007: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 45640 ....
> Code:       Access-Request
> Identifier: 7
> Authentic:  1234567890123456
> Attributes:
>        User-Name = "gdelvalle"
>        Service-Type = Framed-User
>        NAS-IP-Address = 203.63.154.1
>        NAS-Port = 1234
>        Called-Station-Id = "123456789"
>        Calling-Station-Id = "987654321"
>        NAS-Port-Type = Async
>        User-Password =  
> "<127><148><182><202><240><186><160>*<210><203><161><136><17><155><0>) 
> "
>
> Thu Mar 22 13:11:37 2007: DEBUG: Handling request with Handler  
> 'Realm=gev.net'
> Thu Mar 22 13:11:37 2007: DEBUG: Rewrote user name to  
> gdelvalle at gev.net
> Thu Mar 22 13:11:37 2007: DEBUG:  Deleting session for gdelvalle,  
> 203.63.154.1, 1234
> Thu Mar 22 13:11:37 2007: DEBUG: Handling with Radius::AuthLDAP2
> Thu Mar 22 13:11:37 2007: DEBUG: Attempting to bind with  
> uid=optigold,ou=SMI Directory Administrators, *admin_password*
> Net::LDAP=HASH(0x62fac8) sending:
>
> 30 42 02 01 2F 60 3D 02 01 03 04 2C 75 69 64 3D 0B../`=....,uid=
> 6F 70 74 69 67 6F 6C 64 2C 6F 75 3D 53 4D 49 20 optigold,ou=SMI
> 44 69 72 65 63 74 6F 72 79 20 41 64 6D 69 6E 69 Directory Admini
> 73 74 72 61 74 6F 72 73 80 0A 33 72 31 63 40 6C strators..*admin
> 6C 6D 40 6E __ __ __ __ __ __ __ __ __ __ __ __ _password*
>
> 0000   66: SEQUENCE {
> 0002    1:   INTEGER = 47
> 0005   61:   [APPLICATION 0] {
> 0007    1:     INTEGER = 3
> 000A   44:     STRING = 'uid=optigold,ou=SMI Directory Administrators'
> 0038   10:     [CONTEXT 0]
> 003A     :       33 72 31 63 40 6C 6C 6D 40 6E __ __ __ __ __ __  
> *admin_password*
> 0044     :   }
> 0044     : }
> Net::LDAP=HASH(0x62fac8) received:
>
> 30 0C 02 01 2F 61 07 0A 01 00 04 00 04 00 __ __ 0.../a........
>
> 0000   12: SEQUENCE {
> 0002    1:   INTEGER = 47
> 0005    7:   [APPLICATION 1] {
> 0007    1:     ENUM = 0
> 000A    0:     STRING = ''
> 000C    0:     STRING = ''
> 000E     :   }
> 000E     : }
> Net::LDAP=HASH(0x62fac8) sending:
>
> 30 81 8C 02 01 30 63 81 86 04 3C 6D 61 69 6C 52 0....0c...<mailR
> 6F 75 74 69 6E 67 41 64 64 72 65 73 73 3D 67 64 outingAddress=gd
> 65 6C 76 61 6C 6C 65 40 62 74 6C 2E 6E 65 74 2C elvalle at gev.net,
> 6F 75 3D 50 65 6F 70 6C 65 2C 64 63 3D 62 74 6C ou=People,dc=gev
> 2C 64 63 3D 6E 65 74 0A 01 00 0A 01 02 02 01 00 ,dc=net.........
> 02 01 00 01 01 00 A3 27 04 12 6D 61 69 6C 52 6F .......'..mailRo
> 75 74 69 6E 67 41 64 64 72 65 73 73 04 11 67 64 utingAddress..gd
> 65 6C 76 61 6C 6C 65 40 62 74 6C 2E 6E 65 74 30 elvalle at gev.net0
> 0E 04 0C 75 73 65 72 50 61 73 73 77 6F 72 64 __ ...userPassword
>
> 0000  140: SEQUENCE {
> 0003    1:   INTEGER = 48
> 0006  134:   [APPLICATION 3] {
> 0009   60:     STRING =  
> 'mailRoutingAddress=gdelvalle at gev.net,ou=People,dc=gev,dc=net'
> 0047    1:     ENUM = 0
> 004A    1:     ENUM = 2
> 004D    1:     INTEGER = 0
> 0050    1:     INTEGER = 0
> 0053    1:     BOOLEAN = FALSE
> 0056   39:     [CONTEXT 3] {
> 0058   18:       STRING = 'mailRoutingAddress'
> 006C   17:       STRING = 'gdelvalle at gev.net'
> 007F     :     }
> 007F   14:     SEQUENCE {
> 0081   12:       STRING = 'userPassword'
> 008F     :     }
> 008F     :   }
> 008F     : }
> Net::LDAP=HASH(0x62fac8) received:
>
> 30 6D 02 01 30 64 68 04 3C 6D 61 69 6C 52 6F 75 0m..0dh.<mailRou
> 74 69 6E 67 41 64 64 72 65 73 73 3D 67 64 65 6C tingAddress=gdel
> 76 61 6C 6C 65 40 62 74 6C 2E 6E 65 74 2C 6F 75 valle at gev.net,ou
> 3D 50 65 6F 70 6C 65 2C 64 63 3D 62 74 6C 2C 64 =People,dc=gev,d
> 63 3D 6E 65 74 30 28 30 26 04 0C 75 73 65 72 50 c=net0(0&..userP
> 61 73 73 77 6F 72 64 31 16 04 14 7B 43 52 59 50 assword1...{CRYP
> 54 7D 4C 34 73 6E 57 72 6E 5A 69 39 77 66 55 __ T}L4snWrnZi9wfU
>
> 0000  109: SEQUENCE {
> 0002    1:   INTEGER = 48
> 0005  104:   [APPLICATION 4] {
> 0007   60:     STRING =  
> 'mailRoutingAddress=gdelvalle at gev.net,ou=People,dc=gev,dc=net'
> 0045   40:     SEQUENCE {
> 0047   38:       SEQUENCE {
> 0049   12:         STRING = 'userPassword'
> 0057   22:         SET {
> 0059   20:           STRING = '{CRYPT}L4snWrnZi9wfU'
> 006F     :         }
> 006F     :       }
> 006F     :     }
> 006F     :   }
> 006F     : }
> Net::LDAP=HASH(0x62fac8) received:
>
> 30 0C 02 01 30 65 07 0A 01 00 04 00 04 00 __ __ 0...0e........
>
> 0000   12: SEQUENCE {
> 0002    1:   INTEGER = 48
> 0005    7:   [APPLICATION 5] {
> 0007    1:     ENUM = 0
> 000A    0:     STRING = ''
> 000C    0:     STRING = ''
> 000E     :   }
> 000E     : }
> Thu Mar 22 13:11:37 2007: DEBUG: LDAP got result for  
> mailRoutingAddress=gdelvalle at gev.net,ou=People,dc=gev,dc=net
> Thu Mar 22 13:11:37 2007: DEBUG: LDAP got userPassword: {CRYPT} 
> L4snWrnZi9wfU
> Thu Mar 22 13:11:37 2007: DEBUG: Radius::AuthLDAP2 looks for match  
> with gdelvalle at gev.net
> Thu Mar 22 13:11:37 2007: DEBUG: Radius::AuthLDAP2 REJECT: Bad  
> Password
> Thu Mar 22 13:11:37 2007: DEBUG: Connecting to toucan.gev.net, port  
> 389
> Thu Mar 22 13:11:37 2007: DEBUG: Attempting to bind with  
> uid=optigold,ou=SMI Directory Administrators, *admin_password*
> Net::LDAP=HASH(0x6787e0) sending:
>
> 30 42 02 01 31 60 3D 02 01 03 04 2C 75 69 64 3D 0B..1`=....,uid=
> 6F 70 74 69 67 6F 6C 64 2C 6F 75 3D 53 4D 49 20 optigold,ou=SMI
> 44 69 72 65 63 74 6F 72 79 20 41 64 6D 69 6E 69 Directory Admini
> 73 74 72 61 74 6F 72 73 80 0A 33 72 31 63 40 6C strators..*admin
> 6C 6D 40 6E __ __ __ __ __ __ __ __ __ __ __ __ _password
>
> 0000   66: SEQUENCE {
> 0002    1:   INTEGER = 49
> 0005   61:   [APPLICATION 0] {
> 0007    1:     INTEGER = 3
> 000A   44:     STRING = 'uid=optigold,ou=SMI Directory Administrators'
> 0038   10:     [CONTEXT 0]
> 003A     :       33 72 31 63 40 6C 6C 6D 40 6E __ __ __ __ __ __  
> *admin_password*
> 0044     :   }
> 0044     : }
> Net::LDAP=HASH(0x6787e0) received:
>
> 30 0C 02 01 31 61 07 0A 01 00 04 00 04 00 __ __ 0...1a........
>
> 0000   12: SEQUENCE {
> 0002    1:   INTEGER = 49
> 0005    7:   [APPLICATION 1] {
> 0007    1:     ENUM = 0
> 000A    0:     STRING = ''
> 000C    0:     STRING = ''
> 000E     :   }
> 000E     : }
> Net::LDAP=HASH(0x6787e0) sending:
>
> 30 77 02 01 32 63 72 04 32 6D 61 69 6C 52 6F 75 0w..2cr.2mailRou
> 74 69 6E 67 41 64 64 72 65 73 73 3D 44 45 46 41 tingAddress=DEFA
> 55 4C 54 2C 6F 75 3D 50 65 6F 70 6C 65 2C 64 63 ULT,ou=People,dc
> 3D 62 74 6C 2C 64 63 3D 6E 65 74 0A 01 00 0A 01 =gev,dc=net.....
> 02 02 01 00 02 01 00 01 01 00 A3 1D 04 12 6D 61 ..............ma
> 69 6C 52 6F 75 74 69 6E 67 41 64 64 72 65 73 73 ilRoutingAddress
> 04 07 44 45 46 41 55 4C 54 30 0E 04 0C 75 73 65 ..DEFAULT0...use
> 72 50 61 73 73 77 6F 72 64 __ __ __ __ __ __ __ rPassword
>
> 0000  119: SEQUENCE {
> 0002    1:   INTEGER = 50
> 0005  114:   [APPLICATION 3] {
> 0007   50:     STRING =  
> 'mailRoutingAddress=DEFAULT,ou=People,dc=gev,dc=net'
> 003B    1:     ENUM = 0
> 003E    1:     ENUM = 2
> 0041    1:     INTEGER = 0
> 0044    1:     INTEGER = 0
> 0047    1:     BOOLEAN = FALSE
> 004A   29:     [CONTEXT 3] {
> 004C   18:       STRING = 'mailRoutingAddress'
> 0060    7:       STRING = 'DEFAULT'
> 0069     :     }
> 0069   14:     SEQUENCE {
> 006B   12:       STRING = 'userPassword'
> 0079     :     }
> 0079     :   }
> 0079     : }
> Net::LDAP=HASH(0x6787e0) received:
>
> 30 23 02 01 32 65 1E 0A 01 20 04 17 6F 75 3D 50 0#..2e... ..ou=P
> 65 6F 70 6C 65 2C 64 63 3D 62 74 6C 2C 64 63 3D eople,dc=gev,dc=
> 6E 65 74 04 00 __ __ __ __ __ __ __ __ __ __ __ net..
>
> 0000   35: SEQUENCE {
> 0002    1:   INTEGER = 50
> 0005   30:   [APPLICATION 5] {
> 0007    1:     ENUM = 32
> 000A   23:     STRING = 'ou=People,dc=gev,dc=net'
> 0023    0:     STRING = ''
> 0025     :   }
> 0025     : }
> Thu Mar 22 13:11:37 2007: ERR: ldap search failed with error  
> LDAP_NO_SUCH_OBJECT.
> Thu Mar 22 13:11:37 2007: INFO: Access rejected for  
> gdelvalle at gev.net: Bad Password
> Thu Mar 22 13:11:37 2007: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 45640 ....
> Code:       Access-Reject
> Identifier: 7
> Authentic:  1234567890123456
> Attributes:
>        Reply-Message = "Bad Password"
>
>
>
>
>
> Hugh Irvine wrote:
>>
>> Hello Giovanni -
>>
>> I will need to see a trace 4 debug from Radiator showing what is  
>> happening, including the LDAP debug which can be set with Debug  
>> 255 in the AuthBy LDAP2 clause.
>>
>> You also don't need the AuthAttrDef in your configuration file, as  
>> it is the PasswordAttr definition that is used to check the password.
>>
>> Your configuration file should look something like this:
>>
>> .....
>>
>> Trace 4
>>
>> .......
>>
>>
>> <Realm gev.net>
>>
>>  AcctLogFileName %L/ldap/detail
>>  PasswordLogFileName %L/ldap/password.log
>>
>>  <AuthBy LDAP2>
>>
>>    Debug 255
>>
>>    Host ldap.gev.net
>>    Port 389
>>    # Log in to LDAP as admin
>>    AuthDN uid=smadmin,ou=SMI Directory Administrators
>>
>>    # log in to LDAP with password adminpassword
>>
>>    AuthPassword *omitted*
>>
>>    BaseDN     %0=%1,ou=People,dc=gev,dc=net
>>    Scope       base
>>
>>    # this is the atrtibute for username
>>    UsernameAttr mailRoutingAddress
>>
>>    # this attribute is for passwords
>>   # EncryptedPasswordAttr userPassword
>>   PasswordAttr userPassword
>>
>>  </Authby>
>>
>> </Realm gev.net>
>>
>>
>> regards
>>
>> Hugh
>>
>>
>> On 21 Mar 2007, at 05:31, Giovanni Del Valle wrote:
>>
>>>
>>> I  am having trouble getting radius server to authenticate  
>>> against LDAP server.
>>> My username is gdelvalle at gev.net
>>> My password is test123
>>> I've read the manual but can;t make any head way.  Just to check  
>>> binding and searching I successfully had radius auth against  
>>> mailRoutingAddress.  ( in other words, once the email address  
>>> existed  teest would pass.
>>> I have excerpts of all my files below.  I know that the ldap  
>>> server responds with  a crypt  variant of my cleartest password  
>>> test123
>>>   crypt(test123,L4) => L4snWrnZi9wfU
>>>
>>> So why does it fail??
>>>
>>> Please help.
>>> Giovanni
>>> Assistant System Adminitrator
>>> -----------------------
>>>
>>> radius logfile gives me this:  ERR: ldap search failed with error  
>>> LDAP_NO_SUCH_OBJECT.
>>> password.log gives me this: Tue Mar 20 11:50:43  
>>> 2007:1174413043:gdelvalle at gev.net:test123:{CRYPT}L4snWrnZi9wfU:FAIL
>>>
>>> <Realm gev.net>
>>>  AcctLogFileName %L/ldap/detail
>>>  PasswordLogFileName %L/ldap/password.log
>>>
>>>  <AuthBy LDAP2>
>>>
>>>    Host ldap.gev.net
>>>    Port 389
>>>    # Log in to LDAP as admin
>>>    AuthDN uid=smadmin,ou=SMI Directory Administrators
>>>
>>>    # log in to LDAP with password adminpassword
>>>
>>>    AuthPassword *omitted*
>>>
>>>    BaseDN     %0=%1,ou=People,dc=gev,dc=net
>>>    Scope       base
>>>
>>>    # this is the atrtibute for username
>>>    UsernameAttr mailRoutingAddress
>>>
>>>    # this attribute is for passwords
>>>   # EncryptedPasswordAttr userPassword
>>>   PasswordAttr userPassword
>>>
>>>   # AuthAttrDef uid,User-Name,check
>>>    AuthAttrDef userPassword,User-Password,check
>>>  </Authby>
>>>
>>> </Realm gev.net>
>>>
>>>
>>> -- 
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/ 
>> archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --Radiator: the most portable, flexible and configurable RADIUS  
>> server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>> -- 
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list