[RADIATOR] Radiator + LDAP tries to use "(?uid=)" as search filter...

Isaac Freeman isaac at us.ibm.com
Tue Sep 13 11:13:32 CDT 2011 

Yep, that was the problem. Pointed it at the dictionary file and it worked.
Or, at least, it got further... having a new problem with it somehow now
transmitting the password correctly to the LDAP server which returns error
49, invalid credentials. (Yes, I've triple checked the credentials, and
even reset them). The passwords are stored in the LDAP server as SSHA
hashes, but I have "ServerChecksPassword" and the LDAP logs look like it's
doing the BIND operation correctly now, it just doesn't like the
credentials for some reason.

Sep 13 11:58:52 ldap1 slapd[5590]: conn=10687 fd=50 ACCEPT from
IP=127.0.0.1:50521 (IP=0.0.0.0:389)
Sep 13 11:58:52 ldap1 slapd[5590]: conn=10687 op=0 BIND dn="" method=128
Sep 13 11:58:52 ldap1 slapd[5590]: conn=10687 op=0 RESULT tag=97 err=0
text=
Sep 13 11:58:52 ldap1 slapd[5590]: conn=10687 op=1 SRCH
base="dc=<my-domain>" scope=2 deref=2 filter="(uid=testuser)"
Sep 13 11:58:52 ldap1 slapd[5590]: conn=10687 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
Sep 13 11:58:52 ldap1 slapd[5590]: conn=10687 op=2 BIND
dn="cn=testuser,ou=People,dc=<my-domain>" method=128
Sep 13 11:58:52 ldap1 slapd[5590]: conn=10687 op=2 RESULT tag=97 err=49
text=


Here's an example from a working LDAP client (ssh'ing in to a server as the
same user)

Sep 13 12:11:01 ldap1 slapd[5590]: conn=10727 op=1 BIND dn="" method=128
Sep 13 12:11:01 ldap1 slapd[5590]: conn=10727 op=1 RESULT tag=97 err=0
text=
Sep 13 12:11:01 ldap1 slapd[5590]: conn=10727 op=2 SRCH
base="ou=People,dc=<my-domain>" scope=1 deref=0 filter="(uid=testuser)"
Sep 13 12:11:01 ldap1 slapd[5590]: conn=10727 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Sep 13 12:11:01 ldap1 slapd[5590]: conn=10727 op=3 BIND
dn="cn=testuser,ou=People,dc=<my-domain>" method=128
Sep 13 12:11:01 ldap1 slapd[5590]: conn=10727 op=3 BIND
dn="cn=testuser,ou=People,dc=<my-domain>" mech=SIMPLE ssf=0
Sep 13 12:11:01 ldap1 slapd[5590]: conn=10727 op=3 RESULT tag=97 err=0
text=


output from radiusd:

Tue Sep 13 11:58:47 2011: DEBUG: Reading dictionary file
'/var/radiator/dictionary'
Tue Sep 13 11:58:47 2011: DEBUG: Creating authentication port 0.0.0.0:1645
Tue Sep 13 11:58:47 2011: DEBUG: Creating accounting port 0.0.0.0:1646
Tue Sep 13 11:58:47 2011: NOTICE: Server started: Radiator 4.8 on ldap1
(LOCKED)
Tue Sep 13 11:58:52 2011: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 52101 ....
Code:       Access-Request
Identifier: 247
Authentic:  }<225>Pm%A<163><187>~<238><135>O,<4><201><195>
Attributes:
	User-Name = "testuser"
	Service-Type = Framed-User
	NAS-IP-Address = 203.63.154.1
	NAS-Identifier = "203.63.154.1"
	NAS-Port = 1234
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	NAS-Port-Type = Async
	User-Password = {L<8>m<163><193>[<255>1hD<16><140>o<183><143>

Tue Sep 13 11:58:52 2011: DEBUG: Handling request with Handler
'Realm=DEFAULT', Identifier ''
Tue Sep 13 11:58:52 2011: DEBUG:  Deleting session for testuser,
203.63.154.1, 1234
Tue Sep 13 11:58:52 2011: DEBUG: Handling with Radius::AuthLDAP2:
Tue Sep 13 11:58:52 2011: INFO: Connecting to localhost:389
Tue Sep 13 11:58:52 2011: INFO: Attempting to bind to LDAP server
localhost:389
Tue Sep 13 11:58:52 2011: DEBUG: LDAP got result for
cn=testuser,ou=People,dc=<my-domain>
Tue Sep 13 11:58:52 2011: DEBUG: LDAP got objectClass: ldapPublicKey
hostObject posixAccount inetOrgPerson organizationalPerson person
Tue Sep 13 11:58:52 2011: DEBUG: LDAP got
homeDirectory: /home/users/testuser
Tue Sep 13 11:58:52 2011: DEBUG: LDAP got loginShell: /bin/bash
Tue Sep 13 11:58:52 2011: DEBUG: LDAP got gidNumber: 10001
Tue Sep 13 11:58:52 2011: DEBUG: LDAP got uid: testuser
Tue Sep 13 11:58:52 2011: DEBUG: LDAP got cn: testuser
Tue Sep 13 11:58:52 2011: DEBUG: LDAP got uidNumber: 10062
Tue Sep 13 11:58:52 2011: DEBUG: LDAP got sn: testuser
Tue Sep 13 11:58:52 2011: DEBUG: LDAP got host: test-rhel
Tue Sep 13 11:58:52 2011: DEBUG: LDAP got givenName: asdf
Tue Sep 13 11:58:52 2011: DEBUG: Radius::AuthLDAP2 looks for match with
testuser [testuser]
Tue Sep 13 11:58:52 2011: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted
password: testuser [testuser]
Tue Sep 13 11:58:52 2011: DEBUG: AuthBy LDAP2 result: REJECT, Bad Encrypted
password
Tue Sep 13 11:58:52 2011: INFO: Access rejected for testuser: Bad Encrypted
password


from radpwtst (with dictionary ;)

root at ldap1:/var/radiator# radpwtst -dictionary ./dictionary -trace -user
testuser -password qwer1234
Tue Sep 13 11:58:52 2011: DEBUG: Reading dictionary file './dictionary'
sending Access-Request...
Tue Sep 13 11:58:52 2011: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1645 ....
Code:       Access-Request
Identifier: 247
Authentic:  }<225>Pm%A<163><187>~<238><135>O,<4><201><195>
Attributes:
	User-Name = "testuser"
	Service-Type = Framed-User
	NAS-IP-Address = 203.63.154.1
	NAS-Identifier = "203.63.154.1"
	NAS-Port = 1234
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	NAS-Port-Type = Async
	User-Password = {L<8>m<163><193>[<255>1hD<16><140>o<183><143>

Tue Sep 13 11:58:52 2011: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 1645 ....
Code:       Access-Reject
Identifier: 247
Authentic:  <253><22><242><200>C<171>b<143>E<218><230>Y<250><20><29><201>
Attributes:
	Reply-Message = "Request Denied"


--
Isaac Freeman - Systems Administrator
IBM Information Protection Services
isaac at us.ibm.com
919-254-0245



From:	Martin Burton <mvb at sanger.ac.uk>
To:	radiator at open.com.au
Date:	09/12/2011 05:06 PM
Subject:	Re: [RADIATOR] Radiator + LDAP tries to use "(?uid=)" as
            search	filter...
Sent by:	radiator-bounces at open.com.au



On 12/09/2011 20:59, Heikki Vatiainen wrote:
> I agree. That does not look correct. I tested with Radiator and it looks
> like when Radiator hands filter "(uid=)" to Perl LDAP library, it shows
> as "(?uid=)" in OpenLDAP logs.
>
> I am not sure why this happens. Is it how OpenLDAP flags a bad filter or
> does Perl LDAP library do this?


Hi Heikki, Isaac

I think that's just OpenLDAP's way of indicating a grammatical error in
the filter.

RFC1274 (X.500 schema) defines userid as:

     userid ATTRIBUTE
         WITH ATTRIBUTE-SYNTAX
             caseIgnoreStringSyntax
             (SIZE (1 .. ub-user-identifier))
     ::= {pilotAttributeType 1}

so it must have at least size 1.

I'd have thought that this should have generated an error condition
either within Net::LDAP or OpenLDAP, but it's entirely possible that
there isn't a MUST or SHOULD amongst the various RFCs that define what
the behaviour should be :-)

Isaac, I think the problem stems from radpwtest being unable to find the
radius dictionary.  Running it with -trace when it can't find the
dictionary gives:

radiussrv1:~# /radius/Radiator/radpwtst -trace -noacct -user testuser
-password testpass
Attribute number 1 is not defined in your dictionary
Attribute number 6 is not defined in your dictionary
Attribute number 4 is not defined in your dictionary
Attribute number 5 is not defined in your dictionary
Attribute number 30 is not defined in your dictionary
Attribute number 31 is not defined in your dictionary
Attribute number 61 is not defined in your dictionary
Attribute number 2 is not defined in your dictionary
No such attribute Unknown
No such attribute Unknown
No such attribute Unknown
No such attribute Unknown
No such attribute Unknown
No such attribute Unknown
No such attribute Unknown
No such attribute Unknown
sending Access-Request...
Packet dump:
*** Sending to 127.0.0.1 port 1645 ....
Code:       Access-Request
Identifier: 208
Authentic:  1234567890123456
Attributes:
        Unknown = testuser
        Unknown = Framed-User
        Unknown = 203.63.154.1
        Unknown = 1234
        Unknown = 123456789
        Unknown = 987654321
        Unknown = Async
        Unknown = <141><238>,<217><223>=w<133><188>8<9><160><216>}x<153>

and results in a radiator log that looks very much like yours.

Try running radpwtest from the radiator installation directory, or use
the -dictionary flag to specify the path to the dictionary.

Cheers,

Martin



--
Martin Burton
Senior Systems Administrator               \\\|||///
Special Projects Team                     \\  ^ ^  //
Wellcome Trust Sanger Institute            (  6 6  )
-----------------------------------------oOOo-(_)-oOOo---
                                  http://www.sanger.ac.uk

[attachment "signature.asc" deleted by Isaac Freeman/Raleigh/Contr/IBM]
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20110913/e0940ac6/attachment-0001.html

More information about the radiator mailing list