<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Apple Color Emoji";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-AU link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='color:black'>Hi Guys,<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'>Just a couple of queries about setting up Radiator 4.24 to bind to LDAP as a user.<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'>I currently have the following AuthBy LDAP2 configuration<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'><Handler><o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> <AuthBy LDAP2><o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> Host 10.0.0.50<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> # Microsoft AD also listens on port 3268, and<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> # requests received on that port are reported to be<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> # more compliant with standard LDAP, so you may want to use:<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> #Port 3268<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> AuthDN uid=%U<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> AuthPassword %P<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> BaseDN ou=example users,dc=example,dc=com<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> Scope sub<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> ServerChecksPassword<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> UnbindAfterServerChecksPassword<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> UsernameAttr sAMAccountName<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> #HoldServerConnection<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> AuthAttrDef logonHours,MS-Login-Hours,check<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> # Get user group memberships from this attribute<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> GroupMembershipAttr memberOf<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> </AuthBy><o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'></Handler><o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'>My users are under a basedn as above but are in two different folders/Org Units<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'>ou=users1,ou=example users,dc=example,dc=com<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'>ou=users2,ou=example users,dc=example,dc=com<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'>as a result, I can’t easily setup a user auth using “AuthDN uid=%U,ou=users1,ou=example users,dc=example,dc=com” as some users will be in users2<span class=apple-converted-space> </span><o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'>When I was playing with FreeRadius I could set the Ldap-UserDN to<span class=apple-converted-space> </span><a href="mailto:%25U@example.com">%U@example.com</a><span class=apple-converted-space> </span>and this would successfully authenticate the user, but if I set AuthDN<span class=apple-converted-space> </span><a href="mailto:%25U@example.com">%U@example.com</a><span class=apple-converted-space> </span>in radiator (I assume this is the same due to the error message saying it attempted a bind as<span class=apple-converted-space> </span><a href="mailto:user@example.com">user@example.com</a>) I get a credential error<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'>00000000 Thu Aug 20 09:48:48 2020 103966: ERR: AuthLDAP2 Could not bind connection with<span class=apple-converted-space> </span><a href="mailto:uid=user001@example.com">uid=user001@example.com</a>, **obscured**, error: LDAP_INVALID_CREDENTIALS (server 10.0.0.50 port 389).<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'>00000000 Thu Aug 20 09:48:48 2020 104273: ERR: AuthLDAP2 Backing off from 10.0.0.50 port 389 for 600 seconds.<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'>How would you “bind” as that user in radiator when you have users scattered across multiple sub containers (I really don’t want to bind as a robot account as this presents an issue security wise)<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'>I addition to this, someone asked a few years back (2004) about the timeout issue with an incorrect user creating a bad bind with a 10 min backoff. Hugh responded saying to look at section 6.35.19 in the Radiator 3.9 manual and this no longer exists<span class=apple-converted-space> </span></span><span style='font-family:"Apple Color Emoji";color:black'>☺</span><span class=apple-converted-space><span style='color:black'> </span></span><span style='color:black'>He mentioned a ‘Timeout” directive, which I tried (Timeout 0) to no effect, how would you reduce this backoff on ‘bad user’ to essentially 0? (or at least, less than 10 Mins each time someone types their password incorrectly) ?<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'>Thanks in advance!<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'>--<span class=apple-converted-space> </span><o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'>Steve.<o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p></div></body></html>