[RADIATOR] Auth by LDAP Ubuntu 12.04 & Radiator 4.10
John Goubeaux
goubeaux at education.ucsb.edu
Wed Jul 3 15:42:15 CDT 2013
Hello Folks,
RE: Auth by LDAP issues w/ Ubuntu 12.04 & Radiator 4.10
I am currently running an instance of Radiator 4.4 on Solaris 10x86.
This box is also running our current Sun Java Directory Server (
OSDEE 7 ). This instance of Radiator is actively using Auth by LDAP
successfully with TTLS and PAP.
We are wanting to add MSCHAP V2 auth into our infrastructure to AUTH
against an AD repository of users and for the time being will be
hosting a separate Radiator instance on Ubuntu 12.04 that has
Radiator 4.10 running to achieve this. We will use Auth by Radius to
proxy MSCHAP V2 requests to the new box from the Radiator 4.4 box. To
completely test this environment we need to spin up an instance of
the Auth by LDAP.
I started with the config from the Radiator 4.4 instance on the
Solaris box and dropped it into place with the Radiator 4.4 on
Ubuntu 12.04. After many hours of frustration and many errors
including build errors with Radiator itself I decided to try running
the same config on Radiator 4.10. According to Radiator docs the
config is compatible with Radiator 4.10. However Radiator 4.10 on
Ubuntu with the config from the Solaris box fails to be able to Auth
by LDAP and reports "user Not found in LDAP"
I have however been able to bind to LDAP from the Ubuntu box using
ldapsearch so I am lead to believe it is not a networking issue. I
believe the issue lies in the different libraries and default configs
of the LDAP client between Solaris and Ubuntu.
So the Questions are:
Are there specific libraries ( other than those specified in the
Radiator 4.10 docs ) that I need in order to support LDAP binds to
the Sun Directory from Ubuntu ? I have included the config that I am
speaking about below.
OR another way of asking the question : Is anyone successfully
running Radiator 4.10 on Ubuntu 12.04 AND authing against an Oracle
DS and IF so were there any caveats to the build ?
-john
########## ##########
##### Radiator Configuration #####
######### ##########
## Updated 7/2/13 ms
## Note this file is derived from pre-testing version provided
by mrodrigues
Foreground
LogStdout
LogDir ./radlogs
DbDir .
# User a lower trace level in production systems:
Trace 5
#Bind Address
BindAddress 10.99.1.252
# Port Config
AuthPort 1812
AcctPort 1813
#below was added on 2/4/13 to catch ALL iterations of logins that are
BlackListed.
RewriteUsername tr/A-Z/a-z/
#These are the subnets from which calls to the RADIUS server are allowed.
<Client localhost>
Secret testing123
DupInterval 0
</Client>
<Client <http://10.99.1.0/24>10.99.1.0/24>
Secret testing123
DupInterval 0
</Client>
<Handler>
PostProcessingHook file:"%D/<http://eap_acct_username.pl>eap_acct_username.pl"
<AuthBy LDAP2>
#Directory server info
Host
<http://directory.foobar.com>directory.foobar.com
Port 389
BaseDN ou=People,o=<http://foobar.com>foobar.com
#This specifies the attribute that must be present
#to allow authentication. Everyone has a uid....
UsernameAttr uid
ServerChecksPassword
#Allowed EAP Types
EAPType TTLS
#Certificate stuff
EAPTLS_MaxFragmentSize 1000
EAPTLS_CAFile %D/certificates/ca.pem
EAPTLS_CertificateType PEM
EAPTLS_CertificateFile %D/certificates/ia.pem
EAPTLS_PrivateKeyFile %D/certificates/ia.key
EAPTLS_MaxFragmentSize 2048
#This handles auto-negotiation of the WPA keys.
AutoMPPEKeys
# EAPTLS_PEAPBrokenV1Label
# EAPTLS_PEAPVersion 0\
#This outputs debug info for tracing the TLS
handshake, I THINK!
SSLeayTrace 4
HoldServerConnection
Timeout 2
FailureBackoffTime 30
Version 3
</AuthBy>
PostProcessingHook file:"%D/<http://eap_acct_username.pl>eap_acct_username.pl"
--
John Goubeaux
Systems Administrator
Gevirtz Graduate School of Education
UC Santa Barbara
Education 4203C
805 893-8190
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20130703/2e194140/attachment.html
More information about the radiator
mailing list