|
Hi Hugh,
I'm experimenting with LDAP for authentication and
seem to be stuck. I'm totally new to LDAP and hence am not sure if the
problem's with LDAP or my Radiator config. The authentication seems to
work if I supply the additional parameter ServerChecksPassword. If I omit this,
Radiator will return a "No such user" message all the time. I've included a
sample of my config and also the usual trace 4 output. BTW, I
don't know if this is important or not, the password is stored as either userpassword: {SHA}xxxxxxxx or userpassword:
{crypt}xxxxxxxxx. The password differs depending on when the user was created.
Thanks !
------------------ ldap config
---------------------
<Handler
Realm=ldap>
RejectHasReason RewriteUsername s/^([^@]+).*/$1/
<AuthBy LDAP2>
Host ldaptest
BaseDN %0=%1,ou=People,o=tm.net.my,o=isp
# This is the attribute to match the radius user
name
UsernameAttr uid PasswordAttr userpassword #ServerChecksPassword
AddToReply Framed-Protocol =
PPP,\
Framed-IP-Netmask = 255.255.255.255,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Framed-Compression = Van-Jacobson-TCP-IP </AuthBy> </Handler>
---------------- trace 4 output (without the ServerChecksPassword option)
----------------
Wed Sep 19 10:28:57 2001: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 60377 .... Code: Access-Request Identifier: 206 Authentic: 1234567890123456 Attributes: User-Name = "anuar@ldap" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = "<152><233><<156><157>o<4><246><188>8<9><160><216>}x<153>" Wed Sep 19 10:28:57 2001: DEBUG: Check if Handler Realm=tm.net.my should be
used to handle this request
Wed Sep 19 10:28:57 2001: DEBUG: Check if Handler Realm=sql should be used to handle this request Wed Sep 19 10:28:57 2001: DEBUG: Check if Handler Realm=ldap should be used to handle this request Wed Sep 19 10:28:57 2001: DEBUG: Handling request with Handler 'Realm=ldap' Wed Sep 19 10:28:57 2001: DEBUG: Rewrote user name to anuar Wed Sep 19 10:28:57 2001: DEBUG: Deleting session for anuar@ldap, 203.63.154.1, 1234 Wed Sep 19 10:28:57 2001: DEBUG: Handling with Radius::AuthLDAP2 Wed Sep 19 10:28:57 2001: DEBUG: Connecting to ldaptest, port 389 Wed Sep 19 10:28:57 2001: DEBUG: Attempting to bind with , Wed Sep 19 10:28:57 2001: DEBUG: No entries for anuar found in LDAP database Wed Sep 19 10:28:57 2001: DEBUG: Radius::AuthLDAP2 looks for match with anuar Wed Sep 19 10:28:57 2001: DEBUG: Connecting to ldaptest, port 389 Wed Sep 19 10:28:57 2001: DEBUG: Attempting to bind with , Wed Sep 19 10:28:57 2001: ERR: ldap search failed with error LDAP_NO_SUCH_OBJECT. Wed Sep 19 10:28:57 2001: INFO: Access rejected for anuar: No such user Wed Sep 19 10:28:57 2001: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 60377 .... Code: Access-Reject Identifier: 206 Authentic: 1234567890123456 Attributes: Reply-Message = "No such user" -------------------- trace 4 output (with the ServerChecksPassword option)
---------------------
Wed Sep 19 10:32:06 2001: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 60398 .... Code: Access-Request Identifier: 141 Authentic: 1234567890123456 Attributes: User-Name = "anuar@ldap" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = "<152><233><<156><157>o<4><246><188>8<9><160><216>}x<153>" Wed Sep 19 10:32:06 2001: DEBUG: Check if Handler Realm=tm.net.my should be
used to handle this request
Wed Sep 19 10:32:06 2001: DEBUG: Check if Handler Realm=sql should be used to handle this request Wed Sep 19 10:32:06 2001: DEBUG: Check if Handler Realm=ldap should be used to handle this request Wed Sep 19 10:32:06 2001: DEBUG: Handling request with Handler 'Realm=ldap' Wed Sep 19 10:32:06 2001: DEBUG: Rewrote user name to anuar Wed Sep 19 10:32:06 2001: DEBUG: Deleting session for anuar@ldap, 203.63.154.1, 1234 Wed Sep 19 10:32:06 2001: DEBUG: Handling with Radius::AuthLDAP2 Wed Sep 19 10:32:06 2001: DEBUG: Connecting to ldaptest, port 389 Wed Sep 19 10:32:06 2001: DEBUG: Attempting to bind with , Wed Sep 19 10:32:06 2001: DEBUG: LDAP got result for uid=anuar,ou=People, o=tm.net.my, o=isp Wed Sep 19 10:32:06 2001: DEBUG: LDAP got mailhost: tm.net.my Wed Sep 19 10:32:06 2001: DEBUG: LDAP got maildeliveryoption: mailbox Wed Sep 19 10:32:06 2001: DEBUG: LDAP got mailuserstatus: active Wed Sep 19 10:32:06 2001: DEBUG: LDAP got mail: [EMAIL PROTECTED] Wed Sep 19 10:32:06 2001: DEBUG: LDAP got objectclass: top person organizationalPerson inetorgperson inetUsere Wed Sep 19 10:32:06 2001: DEBUG: LDAP got inetuserstatus: active Wed Sep 19 10:32:06 2001: DEBUG: LDAP got cn: anuar anuar Wed Sep 19 10:32:06 2001: DEBUG: LDAP got uid: anuar Wed Sep 19 10:32:06 2001: DEBUG: LDAP got datasource: iPlanet Messaging Server 5.0 Admin Console Wed Sep 19 10:32:06 2001: DEBUG: LDAP got givenname: anuar Wed Sep 19 10:32:06 2001: DEBUG: LDAP got sn: anuar Wed Sep 19 10:32:06 2001: DEBUG: LDAP got creatorsname: uid=admin,ou=Administrators,ou=TopologyManagement,o=Nt Wed Sep 19 10:32:06 2001: DEBUG: LDAP got modifiersname: uid=admin,ou=Administrators,ou=TopologyManagement,o=t Wed Sep 19 10:32:06 2001: DEBUG: LDAP got createtimestamp: 20010813065909Z Wed Sep 19 10:32:06 2001: DEBUG: LDAP got modifytimestamp: 20010813065909Z Wed Sep 19 10:32:06 2001: DEBUG: Radius::AuthLDAP2 looks for match with anuar Wed Sep 19 10:32:06 2001: DEBUG: Radius::AuthLDAP2 ACCEPT: Wed Sep 19 10:32:06 2001: DEBUG: Access accepted for anuar Wed Sep 19 10:32:06 2001: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 60398 .... Code: Access-Accept Identifier: 141 Authentic: 1234567890123456 Attributes: Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP - Elias -
|
- RE: (RADIATOR) Help with LDAP auth Elias
- RE: (RADIATOR) Help with LDAP auth Ingvar Berg (ERA)
- Re: (RADIATOR) Help with LDAP auth Hugh Irvine
- Re: (RADIATOR) Help with LDAP auth Elias
- Re: (RADIATOR) Help with LDAP auth Hugh Irvine
