[RADIATOR] Radiator + LDAP tries to use "(?uid=)" as search filter...

Isaac Freeman isaac at us.ibm.com
Mon Sep 12 13:52:53 CDT 2011 

I'm trying to set up Radiator's evaluation software to use my OpenLDAP
server as a back-end. On the LDAP server I see it trying to query with:

Sep 12 14:41:58 ldap1 slapd[5590]: conn=9813 op=9 SRCH
base="ou=People,dc=<my-domain>" scope=2 deref=2 filter="(?uid=)"

This does not seem to be a valid search to me. I am testing with:

radpwtst -user testuser -password qwer1234

radiusd with -foreground options says:

Mon Sep 12 14:35:57 2011: DEBUG: Handling request with Handler
'Realm=DEFAULT', Identifier ''
Mon Sep 12 14:35:57 2011: DEBUG:  Deleting session for , 127.0.0.1,
Mon Sep 12 14:35:57 2011: DEBUG: Handling with Radius::AuthLDAP2:
Mon Sep 12 14:35:57 2011: INFO: Connecting to localhost:389
Mon Sep 12 14:35:57 2011: INFO: Attempting to bind to LDAP server
localhost:389
Mon Sep 12 14:35:57 2011: DEBUG: No entries for  found in LDAP database
Mon Sep 12 14:35:57 2011: DEBUG: Radius::AuthLDAP2 looks for match with  []
Mon Sep 12 14:35:57 2011: DEBUG: Radius::AuthLDAP2 REJECT: No such user:
[]
Mon Sep 12 14:35:57 2011: DEBUG: No entries for DEFAULT found in LDAP
database
Mon Sep 12 14:35:57 2011: DEBUG: AuthBy LDAP2 result: REJECT, No such user
Mon Sep 12 14:35:57 2011: INFO: Access rejected for : No such user

I've tried varying the "SearchFilter" parameter in the config, but it
always tries searching with "(?uid=)". The openLDAP logs should show the
actual filter used. An example from a working LDAP client:

Sep 12 14:37:52 ldap1 slapd[5590]: conn=9825 op=2 SRCH
base="ou=People,dc=<my-domain>" scope=1 deref=0
filter="(&(objectClass=posixAccount)(uid=nsm))"

Here are the non-blank/non-comment lines from my config (slightly edited
from the example config):

LogStdout
LogDir		/var/log
DbDir		/var/radiator
Trace		4
<Client DEFAULT>
	Secret	<secret>
	DupInterval 0
</Client>
<Realm DEFAULT>
	<AuthBy LDAP2>
		Host		localhost
		AuthDN		cn=admin,dc=<my-domain>
		AuthPassword	<admin-password>
		BaseDN		ou=People,dc=<my-domain>
		SearchFilter (uid=%1)
		ServerChecksPassword
                # LDAP to keep the connection to the server up for as
		HoldServerConnection

		AddToReply Framed-Protocol = PPP,\
        		Framed-IP-Netmask = 255.255.255.255,\
        		Framed-Routing = None,\
        		Framed-MTU = 1500,\
			Framed-Compression = Van-Jacobson-TCP-IP
		Version 3
	        # that match the search that will be used for
	</AuthBy>
</Realm>

If I change the SearchFilter to something like "(cn=%1)" it just sends
"(?cn=)".

Radiator seems to understand the right syntax for a search when looking for
the default user, however:

Sep 12 14:49:04 ldap1 slapd[5590]: conn=9835 op=2 SRCH
base="ou=People,dc=<my-domain>" scope=2 deref=2 filter="(cn=default)", but
no such user exists. Also, it successfully binds as the cn=admin user.

Any ideas would be greatly appreciated.

Thanks,
--
Isaac Freeman - Systems Administrator
IBM Information Protection Services
isaac at us.ibm.com
919-254-0245
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20110912/36796ba8/attachment.html

More information about the radiator mailing list