[RADIATOR] Radiator + LDAP tries to use "(?uid=)" as search filter...

Martin Burton mvb at sanger.ac.uk
Mon Sep 12 16:05:41 CDT 2011 

On 12/09/2011 20:59, Heikki Vatiainen wrote:
> I agree. That does not look correct. I tested with Radiator and it looks
> like when Radiator hands filter "(uid=)" to Perl LDAP library, it shows
> as "(?uid=)" in OpenLDAP logs.
>
> I am not sure why this happens. Is it how OpenLDAP flags a bad filter or
> does Perl LDAP library do this?


Hi Heikki, Isaac

I think that's just OpenLDAP's way of indicating a grammatical error in
the filter.

RFC1274 (X.500 schema) defines userid as:

     userid ATTRIBUTE
         WITH ATTRIBUTE-SYNTAX
             caseIgnoreStringSyntax
             (SIZE (1 .. ub-user-identifier))
     ::= {pilotAttributeType 1}

so it must have at least size 1.

I'd have thought that this should have generated an error condition
either within Net::LDAP or OpenLDAP, but it's entirely possible that
there isn't a MUST or SHOULD amongst the various RFCs that define what
the behaviour should be :-)

Isaac, I think the problem stems from radpwtest being unable to find the
radius dictionary.  Running it with -trace when it can't find the
dictionary gives:

radiussrv1:~# /radius/Radiator/radpwtst -trace -noacct -user testuser
-password testpass
Attribute number 1 is not defined in your dictionary
Attribute number 6 is not defined in your dictionary
Attribute number 4 is not defined in your dictionary
Attribute number 5 is not defined in your dictionary
Attribute number 30 is not defined in your dictionary
Attribute number 31 is not defined in your dictionary
Attribute number 61 is not defined in your dictionary
Attribute number 2 is not defined in your dictionary
No such attribute Unknown
No such attribute Unknown
No such attribute Unknown
No such attribute Unknown
No such attribute Unknown
No such attribute Unknown
No such attribute Unknown
No such attribute Unknown
sending Access-Request...
Packet dump:
*** Sending to 127.0.0.1 port 1645 ....
Code:       Access-Request
Identifier: 208
Authentic:  1234567890123456
Attributes:
        Unknown = testuser
        Unknown = Framed-User
        Unknown = 203.63.154.1
        Unknown = 1234
        Unknown = 123456789
        Unknown = 987654321
        Unknown = Async
        Unknown = <141><238>,<217><223>=w<133><188>8<9><160><216>}x<153>

and results in a radiator log that looks very much like yours.

Try running radpwtest from the radiator installation directory, or use
the -dictionary flag to specify the path to the dictionary.

Cheers,

Martin



-- 
Martin Burton
Senior Systems Administrator               \\\|||///
Special Projects Team                     \\  ^ ^  //
Wellcome Trust Sanger Institute            (  6 6  )
-----------------------------------------oOOo-(_)-oOOo---
                                  http://www.sanger.ac.uk

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://www.open.com.au/pipermail/radiator/attachments/20110912/bada05e6/attachment.bin

More information about the radiator mailing list