[RADIATOR] "Bad Encrypted password" - Authby LDAP2 and Active Directory

Bob Rotsted rrotsted at pdx.edu
Tue Sep 14 13:24:37 CDT 2010 

Hugh,

Below is the information you requested:

Logs
-----------------------------------------
Tue Sep 14 09:45:30 2010: NOTICE: SIGTERM received: stopping
Tue Sep 14 09:45:30 2010: DEBUG: Creating StreamServer tcp port 0.0.0.0:9048
Tue Sep 14 09:45:30 2010: DEBUG: Finished reading configuration file
'/etc/radiator/radius.cfg'
Tue Sep 14 09:45:30 2010: DEBUG: Reading dictionary file
'/etc/radiator/dictionary'
Tue Sep 14 09:45:30 2010: DEBUG: Creating authentication port 0.0.0.0:1645
Tue Sep 14 09:45:30 2010: DEBUG: Creating accounting port 0.0.0.0:1646
Tue Sep 14 09:45:30 2010: NOTICE: Server started: Radiator 4.7 on x


Tue Sep 14 09:46:48 2010: DEBUG: Handling request with Handler
'NAS-IP-Address=131.252.x.x', Identifier ''
Tue Sep 14 09:46:48 2010: DEBUG:  Deleting session for user. 131.252.x.x, 59
Tue Sep 14 09:46:48 2010: DEBUG: Handling with Radius::AuthLDAP2:
Tue Sep 14 09:46:48 2010: INFO: Connecting to 131.252.x.x:636
Tue Sep 14 09:46:48 2010: INFO: Attempting to bind to LDAP server
131.252.x.x:636
Tue Sep 14 09:46:48 2010: DEBUG: LDAP got result for <dn>
Tue Sep 14 09:46:48 2010: DEBUG: LDAP got objectClass: top person
organizationalPerson user
Tue Sep 14 09:46:48 2010: DEBUG: LDAP got cn: user
Tue Sep 14 09:46:48 2010: DEBUG: LDAP got sn: user
Tue Sep 14 09:46:48 2010: DEBUG: LDAP got department: x

(more LDAP spew)

Tue Sep 14 09:46:48 2010: DEBUG: Radius::AuthLDAP2 looks for match with
user [user]
Tue Sep 14 09:46:48 2010: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted
password: user [user]
Tue Sep 14 09:46:48 2010: INFO: Connecting to 131.252.x.x:636
Tue Sep 14 09:46:48 2010: INFO: Attempting to bind to LDAP server
131.252.x.x:636
Tue Sep 14 09:46:48 2010: DEBUG: No entries for DEFAULT found in LDAP
database
Tue Sep 14 09:46:48 2010: DEBUG: AuthBy LDAP2 result: REJECT, Bad
Encrypted password
Tue Sep 14 09:46:48 2010: INFO: Access rejected for user: Bad Encrypted
password

Config
-----------------------------------------
<Handler NAS-IP-Address=131.252.x.x>
           <AuthBy LDAP2>
                        #define the host
                        Host            131.252.x.x
                        UseSSL
                        Version         3
                        #define the port
                        Port            636
                        Debug           255
                        UsernameAttr sAMAccountName
                        ServerChecksPassword
                        AuthDN x
                        AuthPassword x
                        BaseDN          dc=PSU, dc=X, dc=PDX, dc=EDU
                        SearchFilter (&(%0=%1)(x))
                        AddToReply      Class = ou=x;
            </AuthBy>


           <AuthBy LDAP2>
                        #define the host
                        Host            131.252.x.x
                        UseSSL
                        Version         3
                        Port            636
                        Debug           255
                        UsernameAttr sAMAccountName
                        ServerChecksPassword
                        AuthDN x
                        AuthPassword x
                        BaseDN          dc=PSU, dc=X, dc=PDX, dc=EDU
                        SearchFilter (&(%0=%1)(x))
                        AddToReply      Class = ou=y;
           </AuthBy>

</Handler>



Thanks for your assistance!

--bob


On 09/14/2010 10:44 AM, Hugh Irvine wrote:
> 
> Hello Bob -
> 
> We will need to see a copy of the configuration file and a more complete trace 4 debug showing the startup messages as well as what is happening with the requests.
> 
> For the most flexibility I suggest the AuthBy  clause on *NIX and the AuthBy LSA clause on Windows.
> 
> regards
> 
> Hugh
> 
> 
> On 14 Sep 2010, at 12:11, Bob Rotsted wrote:
> 
>> Hi all,
>>
>> I'm attempting to use Authby LDAP2 to proxy authentication requests to
>> our active directory server with the "ServerChecksPassword" switch.
>>
>> Everything appears to be working correctly -- binding completes, etc --
>> until the user's password is verified. When AD checks the user's
>> password, Authby LDAP2 throws the following errors:
>>
>> Tue Sep 14 09:46:48 2010: DEBUG: Radius::AuthLDAP2 looks for match with
>> user [user]
>> Tue Sep 14 09:46:48 2010: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted
>> password: user [user]
>> Tue Sep 14 09:46:48 2010: INFO: Connecting to 131.252.0.0:636
>> Tue Sep 14 09:46:48 2010: INFO: Attempting to bind to LDAP server
>> 131.252.0.0:636
>> Tue Sep 14 09:46:48 2010: DEBUG: No entries for DEFAULT found in LDAP
>> database
>> Tue Sep 14 09:46:48 2010: DEBUG: AuthBy LDAP2 result: REJECT, Bad
>> Encrypted password
>> Tue Sep 14 09:46:48 2010: INFO: Access rejected for user: Bad Encrypted
>> password
>>
>> My current configuration works on another server, perhaps my new server
>> is missing a library? Anyone else experiencing this issue?
>>
>> Best,
>>
>> -- 
>> Bob Rotsted
>>
>> Network Security Analyst
>> Portland State University
>> Desk: 503-725-6215
>> Cell: 503-208-6575
>> 314B D581 A8CD E28A A690 7E9D 5B43 4B28 0EB6 A21A
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> NB: 
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets), 
> together with a trace 4 debug showing what is happening?
>

More information about the radiator mailing list