[RADIATOR] ContinueWhileIgnore in AuthByGroup with LDAP

Bob Shafer bshafer at du.edu
Tue Oct 13 08:00:38 CDT 2009


Raphael,

I'll give this a try as soon as I get a chance.  It sounds like a great 
idea, in any case.

Can it work with two LDAP servers with different credentials and ports 
(same data, though).

Radiator folk, any chance this could be added to the standard release?

Thanks!

Bob

Raphael Luta wrote:
> Bob,
> 
> 
> If your need is simply to have a back-up LDAP server, it's probably 
> better to leverage the built-in host load-balancing features of 
> Net::LDAP with this simple Radiator patch:
> 
> --- Radiator-4.4/Radius/Ldap.pm    2008-07-16 18:56:18.000000000 -0400
> +++ /usr/lib/perl5/site_perl/5.8.8/Radius/Ldap.pm    2009-09-14 
> 08:39:33.000000000 -0400
> @@ -239,6 +239,13 @@
>      my $port = 
> &Radius::Util::get_port(&Radius::Util::format_special($self->{Port}));
>      $self->{connectedHost} = "$host:$port";
>      $self->log($main::LOG_INFO, "Connecting to $self->{connectedHost}");
> +
> +    my @host = ();
> +    foreach(split(/ /,$host))
> +    {
> +      push @host, "$_:$port";
> +    }
> +    $host = \@host;
> 
>      $self->{bound} = undef;
>      if ($self->{UseSSL})
> 
> 
> Once this patch is applied, you can simply specify multiple space 
> separated hostnames on a single Host line and Net::LDAP will connect to 
> the first that is available and you'll only need one AuthBY clause
> 
> Example fail-over AuthBy LDAP2 conf:
> 
> <AuthBY LDAP2>
>     Host myhost1 myhost2
>     AuthDN cn=radius,dc=example,dc=com
>     AuthPasswd password
>     BaseDN dc=example,dc=com
> 
>     ...
> </AuthBy>
> 
> -- raphael
> 
> Le 12 oct. 09 à 00:56, Hugh Irvine a écrit :
> 
>>
>> Hello Bob -
>>
>> You are correct - the protocol has to return reject.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 10 Oct 2009, at 19:07, Bob Shafer wrote:
>>
>>> Hugh,
>>>
>>> Just for completeness -
>>>
>>> When I'd tested with ContinueUntilAccept I did not test beyond
>>> making sure the failover happened.  When I tested this more
>>> completly I found that ContinueUntilAccept seems to act like
>>> ContinueWhileAccept for EAP-PEAP-MSCHAP-V2 - testing the credentials
>>> on both LDAP servers with success, but failing in the end.
>>>
>>> I finally went with ContinueWhileReject.  Which seems to work just
>>> fine.  It still tries both servers when a client has bad
>>> credentials, but it also will fail over properly when the first LDAP
>>> server goes south.
>>>
>>> Is there any chance that EAP-PEAP-MSCHAP-V2 could return Ignore when
>>> it can't connect to the LDAP server?  Or is there something inherent
>>> in the protocol that implies that it has to return Reject when it
>>> can't connect?
>>>
>>> Thanks,
>>>
>>> Bob
>>>
>>>
>>> Hugh Irvine wrote:
>>>> Hello Bob -
>>>> This is more likely to be due to EAP and MSCHAP-V2.
>>>> I think you will need to continue using ContinueUntilAccept.
>>>> regards
>>>> Hugh
>>>> On 2 Oct 2009, at 18:54, Bob Shafer wrote:
>>>>> I'm pretty sure, at one time, this acted as I wished:
>>>>>
>>>>>      <AuthBy GROUP>
>>>>>              AuthByPolicy ContinueWhileIgnore
>>>>>              AuthBy LDAP-AUTH
>>>>>              AuthBy BU-LDAP-AUTH
>>>>>      </AuthBy>
>>>>>
>>>>> The intent being to try a primary LDAP server as configured in
>>>>> AuthBy LDAP-AUTH, and if that server was unavailable, to try the
>>>>> back up server as configured in AuthBy BU-LDAP-AUTH.
>>>>>
>>>>> At some point, and I'm not sure when, because I did not test this
>>>>> after every upgrade, it stopped working.
>>>>>
>>>>> It appears that, when the primary fails, instead of returning
>>>>> IGNORE, radiator is returning REJECT:
>>>>>
>>>>> Fri Oct  2 02:18:40 2009: ERR: Could not open LDAP connection to
>>>>> ldap.du.edu:636. Backing off for 600 seconds.
>>>>> Fri Oct  2 02:18:40 2009: DEBUG: EAP result: 1, EAP MSCHAP V2
>>>>> failed: no such user xyzzy
>>>>> Fri Oct  2 02:18:40 2009: DEBUG: AuthBy GROUP result: REJECT, EAP
>>>>> MSCHAP V2 failed: no such user xyzzy
>>>>> Fri Oct  2 02:18:40 2009: INFO: Access rejected for 872120688: EAP
>>>>> MSCHAP V2 failed: no such user xyzzy
>>>>>
>>>>> If I switch from ContinueWhileIgnore to ContinueUntilAccept, fail
>>>>> over works.  But that means that, when the user enters their
>>>>> credentials incorrectly, that radiator will, unnecessarily, test
>>>>> them against the backup server.
>>>>>
>>>>> The server is running 4.4 with patches that were available as of
>>>>> last Friday.
>>>>>
>>>>> If you need to see the entire configuration file and/or debug
>>>>> output let me know and I will send it under separate cover.
>>>>>
>>>>> Bob
>>>>> _______________________________________________
>>>>> radiator mailing list
>>>>> radiator at open.com.au
>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>> NB:
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive 
>>>> (www.open.com.au/archives/radiator
>>>> )?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>> Have you checked the RadiusExpert wiki:
>>>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive 
>> (www.open.com.au/archives/radiator
>> )?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
> 
> Raphael Luta
> raphael.luta at aptiwan.com
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3590 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.open.com.au/pipermail/radiator/attachments/20091013/522d597f/attachment.bin 


More information about the radiator mailing list