(RADIATOR) radiator on nt
I was wondering if there are issues when you run radiator on nt. I mean the fork() call is not implemented on nt and maybe radiator is using it. Are there any complications / considerations (other than the unix-vs-nt issues). - Wilbert === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AuthByLDAP on NT
Last week I descibed that I had a problem with Radiator on NT, and authenticate against the Microsoft Site Server LDAP server. I had an extra '\0' at the end of any value that was retrieved from the ldap-server. When I wrote a perl script that used perl-ldap, I realized that there had to be something wrong with perl-ldap instead of radiator. The problem was only there when you use perl-ldap on NT, and not on Unix. I discussed this with the author of perl-ldap. When I ran the same script against some other non-Microsoft ldap server, ldap.bigfoot.com, I saw that there was no terminating '\0'. For now, the conclusion is that the ldap server of Microsoft is sending an extra '\0'. They're looking into it. So again, the problem was not Radiator, the most portable radius server 8) - Wilbert === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) RE: LDAP and NT
Mike,
I'm for sure I don't have an extra
character in de the LDAP directory. But I also figured that it isn't Radiator
but the LDAP modules themselves.
If I print ord(chop($value)) it says 0, and
if I print length($value) is is always 1 more than I had in mind. If I run this
same script on Unix, I don't see this '\0' and also length is correct. So the
problem is in perl-ldap instead. I will mail this to Graham Barr.
- Wilbert
-Original Message-From:
Mike McCauley [EMAIL PROTECTED]To:
Wilbert de Graaf [EMAIL PROTECTED]; [EMAIL PROTECTED] [EMAIL PROTECTED]Date:
maandag 2 augustus 1999 9:33Subject: (RADIATOR) RE: LDAP and
NTHi Wilbert,This is very puzzling to us. We
have not seen it before, and we are unsure whatthe right way to deal
with it.Can you tell us exactly what whitespace characters are
trailing your fields,and how you loaded the data in to the LDAP server?
Are you sure that the datain the LDAP server does not have trailing
whitespace?Thanks for reporting this. I hope we will be able to get
to the bottom of itsoon.Cheers.On Jul 30,
9:03am, Wilbert de Graaf wrote: Subject: We
have Radiator running on both Linux and NT, and authenticate against
theMicrosoft LDAP server, using the AuthbyLDAP clause. With Radiator on
Linux,everything was okay but when we tried it on NT, every
authentication requestwas rejected. When I looked into the
logfile, I noticed there was an extra whitespace atthe end of every
value. I tried to use AuthbyLDAP2 instead, but the same there.When I
changed AuthLDAP.pm on NT a little bit it worked, but this is not
ageneral solution. The code was something like: #file
AuthLDAP.pm sub finduser
{ #... if
($ent) {
#... for (...)
{
my @vals = ldap_get_values($self-{ld}, $ent,
$ber);
chop @vals;
} } } The only thing
I added was the chop @vals;. This is okay on NT, but wrongon
Linux. - Wilbert [ Attachment
(text/x-html): .prt3322Cfcbbb 3019 bytes
Character set: iso-8859-1 Encoded with
quoted-printable ]-- End of excerpt from Wilbert de
Graaf-- Mike
McCauley
[EMAIL PROTECTED]Open System
Consultants Pty.
Ltd Unix,
Perl, Motif, C++, WWW24 Bateman St Hampton, VIC 3188
Australia http://www.open.com.auPhone +61 3
9598-0985
Fax +61 3 9598-0955Radiator: the most portable, flexible
and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP,
NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external,
etc etc on Unix, Win95/8, NT, Rhapsody===Archive at http://www.thesite.com.au/~radiator/To
unsubscribe, email '[EMAIL PROTECTED]'
with'unsubscribe radiator' in the body of the
message.
No Subject
We have Radiator running on
both Linux and NT, and authenticate against the Microsoft LDAP server, using the
AuthbyLDAP clause. With Radiator on Linux, everything was okay but when we tried
it on NT, every authentication request was rejected.
When I looked into the logfile, I noticed there was an
extra whitespace at the end of every value. I tried to use AuthbyLDAP2 instead,
but the same there. When I changed AuthLDAP.pm on NT a little bit it worked, but
this is not a general solution. The code was something like:
#file
AuthLDAP.pm
sub finduser {
#...
if ($ent) {
#...
for (...)
{
my @vals = ldap_get_values($self-{ld}, $ent, $ber);
chop
@vals;
}
}
}
The only thing I added was
the chop @vals;. This is okay on NT, but wrong on
Linux.
-
Wilbert
Re: (RADIATOR) Disallow EMail Only accounts from logging in usingRadiator wAuthByPLATYPUS
Kurt, Hugh,
We had a similar situation.
When we fail to get our subscription fee, we don't want our customers be able to
surf the Internet anymore (suing our Internet access service), but we do want
them to use a guest account, they can use to dial-in but access only
a single server, where they can check their status and read (webbased) email. I
guess this is a very common problem.
If you have a big dial-in network, possibly
shared, it's very difficult to manage ip-pools over all POPs. Sander Asberg
suggested to tackle this problem like this:
Realm
AuthBy
FILE
Filename
%D/guest.txt #
this file holds the guest account with (ascend)
ip-data-filter
/AuthBy
/Realm
Realm DEFAULT
# simulate
like the NAS added the name-value pair ('radiusProfile', '1')
PreAuthHook sub { ${$_[0]}- add_attr('radiusProfile',
'1'); }
AuthBy
LDAP
Host xxx
... xxx
CheckAttr
radiusCheck
# The val;ue of this attribute should match
radiusProfile=0
/AuthBy
/Realm
When we fail to get our
money, the billing process simply changes the value of radiusCheck into
radiusProfile=0 and the user is not able to dialin using this
account anymore. He/she can dialin using guest and access the
service application.
- Wilbert
-Original Message-From:
Hugh Irvine [EMAIL PROTECTED]To: Kurt
Richter [EMAIL PROTECTED]; [EMAIL PROTECTED] [EMAIL PROTECTED]Date:
woensdag 28 juli 1999 4:57Subject: Re: (RADIATOR) Disallow EMail
Only accounts from logging in using Radiator wAuthByPLATYPUS
At
6:32 AM 27/7/99, Kurt Richter wrote:I've got Radiator authenticating
using Platypus. It's a nice system. I'veenjoyed learning
how to work with it. But before I can put Radiator on
myproduction unit, I'd like to know if anybody else has figured out
a slickway to prevent EMail only accounts from authenticating using
this Platypusset-up.I'm not sure how you would like
this to work - could you provide moredetails please?If you are
trying to have two different classes of users in the sameRadiator setup,
many people set up two IP address pools on their NASequipment (with
corresponding filters) and have the two classes of usersallocated from
the two pools.hthHugh--Radiator: the most
portable, flexible and configurable RADIUS serveranywhere. SQL, proxy,
DBM, files, LDAP, NIS+, password, NT, Emerald,Platypus, Freeside,
TACACS+, PAM, external, etc etc on Unix, Win95/8,NT,
Rhapsody===Archive at http://www.thesite.com.au/~radiator/To
unsubscribe, email '[EMAIL PROTECTED]'
with'unsubscribe radiator' in the body of the
message.===Archive at http://www.thesite.com.au/~radiator/To
unsubscribe, email '[EMAIL PROTECTED]'
with'unsubscribe radiator' in the body of the
message.
(RADIATOR) DDNS support
We would like to offer this service to our subscribers: if they login, a DNS name 'of choice' is related to their dynamic ip-address (much like www.ddns.org ) Did anybody implement support for Dynamic DNS on top of Radiator. I think it shouldn't be too hard to send a DNS update at the time there is an accept and you know the ip-address assigned to a specific account. (First accounting message ?) I'm just wondering if somebody has an opinion about this service / implementation. - Wilbert
Re: (RADIATOR) More authentication Attributes
Requiem, We had / have the same problem. Besides radiator, we also have our own radius server (but we're trying to get rid of it, VPN by VPN). The subscribers have an attribute 'radiusProfile' in their object. Whenever the value equals 1 they should have normal access, 0 no access and for instance 2 some different set of attributes: eg. a set of ip-filters. We forgot about the 2 for now. Somebody suggested to use the PreAuthHook to add an NV pair: add_attribute(radiusProfile, 1) and add another attribute in the directory, radiusCheck. An object now looks like this: dn: cn=user,... radiusProfile = 1 radiusCheck = radiusProfile=1 ... The first attribute is still necessary for the other Radius server, and the second to make it work with Radiator. I think it would be a nice feature to be able to check the retrieved attributes in a hook like PostAuthHook, and be able to reject or accept it based on the vlaue (or even better, select a profile at that point.) But anyway, this mechanisms does the job perfect for us. - Wilbert -Original Message-From: Requiem Aurelien (Ext/NTC) [EMAIL PROTECTED]To: Radiator (E-mail) [EMAIL PROTECTED]Date: donderdag 8 juli 1999 16:26Subject: (RADIATOR) More authentication AttributesHelloHow can i add more authentication attributesshall i use CheckAttr ?I need to anthenticate a user via 3 informations1) Name2) Password3) Calling-Station-IdAll of my user are into a ldap serverThanks a lot to answer me Recycle your PC, Get Linux...Recycle your Windows, Get Kde...=Archive at http://www.thesite.com.au/~radiator/To unsubscribe, email '[EMAIL PROTECTED]' with'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Encrypted passwords and CHAP
Tim, We have the same problem at one ISP. We have even have to store different encrypted passwords (eg. Irix, Solaris, Netscape ...) into an LDAP directory to be able to authenticate all of them using this LDAP server. And for chap, we needed to store the plaintext too. Probably the easiest move is to store plaintext in there, if you have them. (It makes sense to store the plaintext password (or you at least have the possibility to decrypt it) in a billing system. Than you can always switch from system A to B.) - Wilbert -Original Message-From: Young, Tim [EMAIL PROTECTED]To: [EMAIL PROTECTED] [EMAIL PROTECTED]Date: woensdag 7 juli 1999 21:51Subject: (RADIATOR) Encrypted passwords and CHAPCurrently we store our passwords in a SQL (mySQL) database and they arestored using UNIX crypt password format.I now have a need to support CHAP authentication using this existingdatabase.Does anyone have any ideas on how this might be done?Thanks in advance,Tim YoungCompuware Corporation===Archive at http://www.thesite.com.au/~radiator/To unsubscribe, email '[EMAIL PROTECTED]' with'unsubscribe radiator' in the body of the message.
(RADIATOR) PreAuthHook: add_attr - can't call add_attr() on unblessed reference
I'm trying to add a
name-value pair to a request just before authentication occurs. The
documentation of radiator has an example:
Realm
PreAuthHook sub {
$_[0]-add_attr('test-attr', 'test-value'); }
AuthBy LDAP
...
AuthBy
/Realm
Without the PreAuthHook,
everything is working fine, but when I run a test with this statement, the
logfile says:
ERR: Error in PreAuthHook(): Can't call
method add_attr on unblessed reference at (eval 190) line
1.
I tried to put PreAuthHook on different
places, but no luck. I also tried code like
PreAuthHook sub
{ my($p); \
bless($p); \
$_[0]-add_attr('test-attr', 'test-value'); }
but then the logfile says it cannot reach
class through Handler.pm. I tried use Radius::AttrVal on
top of Handler.pm but that didn't work either.
Can anyone tell me what it is I'm missing
(besides this running) ?
-
Wilbert
