[RADIATOR] Radiator and LDAP2 to Active Directory

Steve Phillips steve at focb.co.nz
Thu Aug 20 00:47:20 UTC 2020

Hi Guys,


Just a couple of queries about setting up Radiator 4.24 to bind to LDAP as a user.


I currently have the following AuthBy LDAP2 configuration



        <AuthBy LDAP2>



                # Microsoft AD also listens on port 3268, and

                # requests received on that port are reported to be

                # more compliant with standard LDAP, so you may want to use:

                #Port 3268


                AuthDN uid=%U

                AuthPassword %P

                BaseDN          ou=example users,dc=example,dc=com

                Scope           sub



                UsernameAttr sAMAccountName


                AuthAttrDef logonHours,MS-Login-Hours,check


                # Get user group memberships from this attribute

                GroupMembershipAttr memberOf




My users are under a basedn as above but are in two different folders/Org Units


ou=users1,ou=example users,dc=example,dc=com

ou=users2,ou=example users,dc=example,dc=com


as a result, I can’t easily setup a user auth using  “AuthDN uid=%U,ou=users1,ou=example users,dc=example,dc=com” as some users will be in users2 


When I was playing with FreeRadius I could set the Ldap-UserDN to %U at example.com and this would successfully authenticate the user, but if I set AuthDN %U at example.com in radiator (I assume this is the same due to the error message saying it attempted a bind as user at example.com) I get a credential error


00000000 Thu Aug 20 09:48:48 2020 103966: ERR: AuthLDAP2 Could not bind connection with uid=user001 at example.com, **obscured**, error: LDAP_INVALID_CREDENTIALS (server port 389).

00000000 Thu Aug 20 09:48:48 2020 104273: ERR: AuthLDAP2 Backing off from port 389 for 600 seconds.


How would you “bind” as that user in radiator when you have users scattered across multiple sub containers (I really don’t want to bind as a robot account as this presents an issue security wise)


I addition to this, someone asked a few years back (2004) about the timeout issue with an incorrect user creating a bad  bind with a 10 min backoff. Hugh responded saying to look at section 6.35.19 in the Radiator 3.9 manual and this no longer exists ☺ He mentioned a ‘Timeout” directive, which I tried (Timeout 0) to no effect, how would you reduce this backoff on ‘bad user’ to essentially 0? (or at least, less than 10 Mins each time someone types their password incorrectly) ?


Thanks in advance!






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20200820/cdc92616/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5033 bytes
Desc: not available
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20200820/cdc92616/attachment-0001.p7s>

More information about the radiator mailing list