[RADIATOR] Radiator and LDAP2 to Active Directory

Steve Phillips Wed, 19 Aug 2020 17:48:48 -0700

Hi Guys,


Just a couple of queries about setting up Radiator 4.24 to bind to LDAP as a 
user.

 

I currently have the following AuthBy LDAP2 configuration

 

<Handler>

        <AuthBy LDAP2>

                Host            10.0.0.50

 

                # Microsoft AD also listens on port 3268, and

                # requests received on that port are reported to be

                # more compliant with standard LDAP, so you may want to use:

                #Port 3268

 

                AuthDN uid=%U

                AuthPassword %P

                BaseDN          ou=example users,dc=example,dc=com

                Scope           sub

                ServerChecksPassword

                UnbindAfterServerChecksPassword

                UsernameAttr sAMAccountName

                #HoldServerConnection

                AuthAttrDef logonHours,MS-Login-Hours,check

 

                # Get user group memberships from this attribute

                GroupMembershipAttr memberOf

        </AuthBy>

</Handler>

 

My users are under a basedn as above but are in two different folders/Org Units

 

ou=users1,ou=example users,dc=example,dc=com

ou=users2,ou=example users,dc=example,dc=com

 

as a result, I can’t easily setup a user auth using  “AuthDN 
uid=%U,ou=users1,ou=example users,dc=example,dc=com” as some users will be in 
users2 

 

When I was playing with FreeRadius I could set the Ldap-UserDN to 
%[email protected] and this would successfully authenticate the user, but if I 
set AuthDN %[email protected] in radiator (I assume this is the same due to the 
error message saying it attempted a bind as [email protected]) I get a 
credential error

 

00000000 Thu Aug 20 09:48:48 2020 103966: ERR: AuthLDAP2 Could not bind 
connection with [email protected], **obscured**, error: 
LDAP_INVALID_CREDENTIALS (server 10.0.0.50 port 389).

00000000 Thu Aug 20 09:48:48 2020 104273: ERR: AuthLDAP2 Backing off from 
10.0.0.50 port 389 for 600 seconds.

 

How would you “bind” as that user in radiator when you have users scattered 
across multiple sub containers (I really don’t want to bind as a robot account 
as this presents an issue security wise)

 

I addition to this, someone asked a few years back (2004) about the timeout 
issue with an incorrect user creating a bad  bind with a 10 min backoff. Hugh 
responded saying to look at section 6.35.19 in the Radiator 3.9 manual and this 
no longer exists ☺ He mentioned a ‘Timeout” directive, which I tried (Timeout 
0) to no effect, how would you reduce this backoff on ‘bad user’ to essentially 
0? (or at least, less than 10 Mins each time someone types their password 
incorrectly) ?

 

Thanks in advance!

 

-- 

Steve.

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator

[RADIATOR] Radiator and LDAP2 to Active Directory

Reply via email to