[RADIATOR] TACACS+, OpenLDAP and saslauthd
Patrick Ohearn
pat at ge3k.net
Mon Aug 20 01:22:00 UTC 2018
Hi List,
Has anyone ran into any issues when using TACACS, and the LDAP2
module, authing via a OpenLDAP (slapd) server, using saslauthd as the
auth backend for OpenLDAP?
I am interment issues, where Radius::AuthLDAP2 gets a REJECT, with Bad
Password from LDAP, with users using the saslauthd backend on the
OpenLDAP server.
I am able to with the exact same credentials via the OpenLDAP server
using the CLI ldapsearch tools. And users using passwords stored in
LDAP (SSHA style creds), are able to authenticate via TACACS through
Radiator, and via the ldapsearch tools.
The only solution has been to restart the radiator process, which
immediately solves the issue.
The occurrence of the issue does appears to be tied to the amount of
requests from the SASLauth'ing users. Over a weekend when the majority
of auth's are using LDAP stored creds, no issues occur. However come
business hours, when support staff are using their SASL credentials,
Radiator starts dropping these auths.
Unsure if the list strips attachments, so logs are attached and are at
https://p.6core.net/p/fSOZYA9evCqNbmQh1voBFCe4
Regards,
Patrick.
--
Email: pat at ge3k.net
-------------- next part --------------
Mon Aug 20 11:10:35 2018: DEBUG: Handling request with Handler 'NAS-Identifier="TACACS"', Identifier ''
Mon Aug 20 11:10:35 2018: DEBUG: Deleting session for test.user, 172.1.1.1,
Mon Aug 20 11:10:35 2018: DEBUG: Handling with Radius::AuthGROUP: noc-users
Mon Aug 20 11:10:35 2018: DEBUG: Handling with Radius::AuthLDAP2: noc-ldap-user
Mon Aug 20 11:10:35 2018: DEBUG: LDAP got result with filter (&(uid=test.user)(!(shadowExpire=*))) for DN uid=test.user,ou=people,dc=example,dc=net,dc=au
Mon Aug 20 11:10:35 2018: DEBUG: LDAP got telephoneNumber: 61700000000
Mon Aug 20 11:10:35 2018: DEBUG: LDAP got displayName: Test User
Mon Aug 20 11:10:35 2018: DEBUG: LDAP got cn: test.user
Mon Aug 20 11:10:35 2018: DEBUG: LDAP got objectClass: top inetOrgPerson posixAccount shadowAccount
Mon Aug 20 11:10:35 2018: DEBUG: LDAP got uidNumber: 2204
Mon Aug 20 11:10:35 2018: DEBUG: LDAP got mobile: 61400000000
Mon Aug 20 11:10:35 2018: DEBUG: LDAP got gidNumber: 2204
Mon Aug 20 11:10:35 2018: DEBUG: LDAP got gecos: Test User
Mon Aug 20 11:10:35 2018: DEBUG: LDAP got sn: User
Mon Aug 20 11:10:35 2018: DEBUG: LDAP got homeDirectory: /home/test.user
Mon Aug 20 11:10:35 2018: DEBUG: LDAP got mail: test.user at example.com.au
Mon Aug 20 11:10:35 2018: DEBUG: LDAP got givenName: Test
Mon Aug 20 11:10:35 2018: DEBUG: LDAP got uid: test.user
Mon Aug 20 11:10:35 2018: DEBUG: LDAP got title: Testing LDAP User
Mon Aug 20 11:10:35 2018: DEBUG: LDAP got loginShell: /bin/false
Mon Aug 20 11:10:35 2018: DEBUG: LDAP got userPassword: **obscured**
Mon Aug 20 11:10:35 2018: DEBUG: Radius::AuthLDAP2 looks for match with test.user test.user
Mon Aug 20 11:10:35 2018: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password: test.user test.user
Mon Aug 20 11:10:35 2018: DEBUG: No entries for DEFAULT found in LDAP database with filter (&(uid=DEFAULT)(!(shadowExpire=*)))
Mon Aug 20 11:10:35 2018: DEBUG: Radius::AuthGROUP:noc-users noc-ldap-user result: REJECT, Bad Password
Mon Aug 20 11:10:35 2018: DEBUG: Handling with Radius::AuthFILE: noc-failover-user
Mon Aug 20 11:10:35 2018: DEBUG: Radius::AuthFILE looks for match with test.user test.user
Mon Aug 20 11:10:35 2018: DEBUG: Radius::AuthFILE REJECT: No such user: test.user test.user
Mon Aug 20 11:10:35 2018: DEBUG: Radius::AuthGROUP:noc-users noc-failover-user result: REJECT, No such user
Mon Aug 20 11:10:35 2018: DEBUG: AuthBy GROUP result: REJECT, No such user
Mon Aug 20 11:10:35 2018: INFO: Access rejected for test.user: No such user
More information about the radiator
mailing list