(RADIATOR) radiator on nt
I was wondering if there are issues when you run radiator on nt. I mean the fork() call is not implemented on nt and maybe radiator is using it. Are there any complications / considerations (other than the unix-vs-nt issues). - Wilbert === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AuthByLDAP on NT
Last week I descibed that I had a problem with Radiator on NT, and authenticate against the Microsoft Site Server LDAP server. I had an extra '\0' at the end of any value that was retrieved from the ldap-server. When I wrote a perl script that used perl-ldap, I realized that there had to be something wrong with perl-ldap instead of radiator. The problem was only there when you use perl-ldap on NT, and not on Unix. I discussed this with the author of perl-ldap. When I ran the same script against some other non-Microsoft ldap server, ldap.bigfoot.com, I saw that there was no terminating '\0'. For now, the conclusion is that the ldap server of Microsoft is sending an extra '\0'. They're looking into it. So again, the problem was not Radiator, the most portable radius server 8) - Wilbert === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) RE: LDAP and NT
Mike, I'm for sure I don't have an extra character in de the LDAP directory. But I also figured that it isn't Radiator but the LDAP modules themselves. If I print ord(chop($value)) it says 0, and if I print length($value) is is always 1 more than I had in mind. If I run this same script on Unix, I don't see this '\0' and also length is correct. So the problem is in perl-ldap instead. I will mail this to Graham Barr. - Wilbert -Original Message-From: Mike McCauley [EMAIL PROTECTED]To: Wilbert de Graaf [EMAIL PROTECTED]; [EMAIL PROTECTED] [EMAIL PROTECTED]Date: maandag 2 augustus 1999 9:33Subject: (RADIATOR) RE: LDAP and NTHi Wilbert,This is very puzzling to us. We have not seen it before, and we are unsure whatthe right way to deal with it.Can you tell us exactly what whitespace characters are trailing your fields,and how you loaded the data in to the LDAP server? Are you sure that the datain the LDAP server does not have trailing whitespace?Thanks for reporting this. I hope we will be able to get to the bottom of itsoon.Cheers.On Jul 30, 9:03am, Wilbert de Graaf wrote: Subject: We have Radiator running on both Linux and NT, and authenticate against theMicrosoft LDAP server, using the AuthbyLDAP clause. With Radiator on Linux,everything was okay but when we tried it on NT, every authentication requestwas rejected. When I looked into the logfile, I noticed there was an extra whitespace atthe end of every value. I tried to use AuthbyLDAP2 instead, but the same there.When I changed AuthLDAP.pm on NT a little bit it worked, but this is not ageneral solution. The code was something like: #file AuthLDAP.pm sub finduser { #... if ($ent) { #... for (...) { my @vals = ldap_get_values($self-{ld}, $ent, $ber); chop @vals; } } } The only thing I added was the chop @vals;. This is okay on NT, but wrongon Linux. - Wilbert [ Attachment (text/x-html): .prt3322Cfcbbb 3019 bytes Character set: iso-8859-1 Encoded with quoted-printable ]-- End of excerpt from Wilbert de Graaf-- Mike McCauley [EMAIL PROTECTED]Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.auPhone +61 3 9598-0985 Fax +61 3 9598-0955Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody===Archive at http://www.thesite.com.au/~radiator/To unsubscribe, email '[EMAIL PROTECTED]' with'unsubscribe radiator' in the body of the message.
No Subject
We have Radiator running on both Linux and NT, and authenticate against the Microsoft LDAP server, using the AuthbyLDAP clause. With Radiator on Linux, everything was okay but when we tried it on NT, every authentication request was rejected. When I looked into the logfile, I noticed there was an extra whitespace at the end of every value. I tried to use AuthbyLDAP2 instead, but the same there. When I changed AuthLDAP.pm on NT a little bit it worked, but this is not a general solution. The code was something like: #file AuthLDAP.pm sub finduser { #... if ($ent) { #... for (...) { my @vals = ldap_get_values($self-{ld}, $ent, $ber); chop @vals; } } } The only thing I added was the chop @vals;. This is okay on NT, but wrong on Linux. - Wilbert
Re: (RADIATOR) Disallow EMail Only accounts from logging in usingRadiator wAuthByPLATYPUS
Kurt, Hugh, We had a similar situation. When we fail to get our subscription fee, we don't want our customers be able to surf the Internet anymore (suing our Internet access service), but we do want them to use a guest account, they can use to dial-in but access only a single server, where they can check their status and read (webbased) email. I guess this is a very common problem. If you have a big dial-in network, possibly shared, it's very difficult to manage ip-pools over all POPs. Sander Asberg suggested to tackle this problem like this: Realm AuthBy FILE Filename %D/guest.txt # this file holds the guest account with (ascend) ip-data-filter /AuthBy /Realm Realm DEFAULT # simulate like the NAS added the name-value pair ('radiusProfile', '1') PreAuthHook sub { ${$_[0]}- add_attr('radiusProfile', '1'); } AuthBy LDAP Host xxx ... xxx CheckAttr radiusCheck # The val;ue of this attribute should match radiusProfile=0 /AuthBy /Realm When we fail to get our money, the billing process simply changes the value of radiusCheck into radiusProfile=0 and the user is not able to dialin using this account anymore. He/she can dialin using guest and access the service application. - Wilbert -Original Message-From: Hugh Irvine [EMAIL PROTECTED]To: Kurt Richter [EMAIL PROTECTED]; [EMAIL PROTECTED] [EMAIL PROTECTED]Date: woensdag 28 juli 1999 4:57Subject: Re: (RADIATOR) Disallow EMail Only accounts from logging in using Radiator wAuthByPLATYPUS At 6:32 AM 27/7/99, Kurt Richter wrote:I've got Radiator authenticating using Platypus. It's a nice system. I'veenjoyed learning how to work with it. But before I can put Radiator on myproduction unit, I'd like to know if anybody else has figured out a slickway to prevent EMail only accounts from authenticating using this Platypusset-up.I'm not sure how you would like this to work - could you provide moredetails please?If you are trying to have two different classes of users in the sameRadiator setup, many people set up two IP address pools on their NASequipment (with corresponding filters) and have the two classes of usersallocated from the two pools.hthHugh--Radiator: the most portable, flexible and configurable RADIUS serveranywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,NT, Rhapsody===Archive at http://www.thesite.com.au/~radiator/To unsubscribe, email '[EMAIL PROTECTED]' with'unsubscribe radiator' in the body of the message.===Archive at http://www.thesite.com.au/~radiator/To unsubscribe, email '[EMAIL PROTECTED]' with'unsubscribe radiator' in the body of the message.
(RADIATOR) DDNS support
We would like to offer this service to our subscribers: if they login, a DNS name 'of choice' is related to their dynamic ip-address (much like www.ddns.org ) Did anybody implement support for Dynamic DNS on top of Radiator. I think it shouldn't be too hard to send a DNS update at the time there is an accept and you know the ip-address assigned to a specific account. (First accounting message ?) I'm just wondering if somebody has an opinion about this service / implementation. - Wilbert
Re: (RADIATOR) More authentication Attributes
Requiem, We had / have the same problem. Besides radiator, we also have our own radius server (but we're trying to get rid of it, VPN by VPN). The subscribers have an attribute 'radiusProfile' in their object. Whenever the value equals 1 they should have normal access, 0 no access and for instance 2 some different set of attributes: eg. a set of ip-filters. We forgot about the 2 for now. Somebody suggested to use the PreAuthHook to add an NV pair: add_attribute(radiusProfile, 1) and add another attribute in the directory, radiusCheck. An object now looks like this: dn: cn=user,... radiusProfile = 1 radiusCheck = radiusProfile=1 ... The first attribute is still necessary for the other Radius server, and the second to make it work with Radiator. I think it would be a nice feature to be able to check the retrieved attributes in a hook like PostAuthHook, and be able to reject or accept it based on the vlaue (or even better, select a profile at that point.) But anyway, this mechanisms does the job perfect for us. - Wilbert -Original Message-From: Requiem Aurelien (Ext/NTC) [EMAIL PROTECTED]To: Radiator (E-mail) [EMAIL PROTECTED]Date: donderdag 8 juli 1999 16:26Subject: (RADIATOR) More authentication AttributesHelloHow can i add more authentication attributesshall i use CheckAttr ?I need to anthenticate a user via 3 informations1) Name2) Password3) Calling-Station-IdAll of my user are into a ldap serverThanks a lot to answer me Recycle your PC, Get Linux...Recycle your Windows, Get Kde...=Archive at http://www.thesite.com.au/~radiator/To unsubscribe, email '[EMAIL PROTECTED]' with'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Encrypted passwords and CHAP
Tim, We have the same problem at one ISP. We have even have to store different encrypted passwords (eg. Irix, Solaris, Netscape ...) into an LDAP directory to be able to authenticate all of them using this LDAP server. And for chap, we needed to store the plaintext too. Probably the easiest move is to store plaintext in there, if you have them. (It makes sense to store the plaintext password (or you at least have the possibility to decrypt it) in a billing system. Than you can always switch from system A to B.) - Wilbert -Original Message-From: Young, Tim [EMAIL PROTECTED]To: [EMAIL PROTECTED] [EMAIL PROTECTED]Date: woensdag 7 juli 1999 21:51Subject: (RADIATOR) Encrypted passwords and CHAPCurrently we store our passwords in a SQL (mySQL) database and they arestored using UNIX crypt password format.I now have a need to support CHAP authentication using this existingdatabase.Does anyone have any ideas on how this might be done?Thanks in advance,Tim YoungCompuware Corporation===Archive at http://www.thesite.com.au/~radiator/To unsubscribe, email '[EMAIL PROTECTED]' with'unsubscribe radiator' in the body of the message.
(RADIATOR) PreAuthHook: add_attr - can't call add_attr() on unblessed reference
I'm trying to add a name-value pair to a request just before authentication occurs. The documentation of radiator has an example: Realm PreAuthHook sub { $_[0]-add_attr('test-attr', 'test-value'); } AuthBy LDAP ... AuthBy /Realm Without the PreAuthHook, everything is working fine, but when I run a test with this statement, the logfile says: ERR: Error in PreAuthHook(): Can't call method add_attr on unblessed reference at (eval 190) line 1. I tried to put PreAuthHook on different places, but no luck. I also tried code like PreAuthHook sub { my($p); \ bless($p); \ $_[0]-add_attr('test-attr', 'test-value'); } but then the logfile says it cannot reach class through Handler.pm. I tried use Radius::AttrVal on top of Handler.pm but that didn't work either. Can anyone tell me what it is I'm missing (besides this running) ? - Wilbert