Hello Marijke,
On Jun 8, 1:05pm, Marijke Vandecappelle wrote:
> Subject: Re: question about radiator configuration
> Hi Mike,
>
> Thanks for your help.
>
> I'm afraid I have more questions.
No problem
>
> ---
>
> I heard there is a patch for the 'authby ldap', because the current code
> does not do the unbind operation which can cause problems with some ldap
> servers. My netscape ldap server seems to be resistant to this, but load
> is increasing and I'm worried it may affect performance.
> Can I get the patch? I'm using Radiatior version 2.13.
Its available as a new version of AuthLDAP2.pm at
http://www.open.com.au/radiator/downloads/patches-2.13.1/AuthLDAP2.pm
>
> ---
>
> I saw that Radiator supports authentication with the ACE securId cards.
> We may want to use securId cards for roaming users because Surfnet
> requires us to use 'strong' authentication if we do not check on CLI.
> Can your radius server directly enquire the ACE server and how do I
> configure radiator to do that? Or does it use 'authby radius' to
> forward the radius authentication request to the (Livingstone?) radius
> server that is packaged with the Ace software?
It uses the latter technique: Basically it proxies requests to the ACE radius
server (which is a modified but very limited version of Livingston, I think)
Radiator does however take care to proxy correctly the challenges and responses
that ACE requires to make it work.
>
> ---
>
> I have a question about info level logging. It's not very helpfull in my
configuration:
> I have to check 2 ldap servers for the moment.
>
>
>...
>AuthByPolicy ContinueWhileReject
>
> Host with.ic.uva.nl
> Port 389
> ...
> NoDefaultIfFound
>
>
> Host blaeu.student.uva.nl
> ...
> NoDefaultIfFound
>
>
>
> If the user is in the first ldap server, but authentication does not
> succeed e.g. wrong CLI, then I only get info logging from the second
> ldap server with the totally useless information.
>
> Tue Jun 8 00:56:32 1999: INFO: Access rejected for mdw0011: No such
user
>
> While it would make the life of the support staff a lot easier if I saw
> something like:
>
> Tue Jun 8 00:34:27 1999: INFO: Access rejected for mdw0011: Check item
Calling-
> Station-Id expression '/204164698/' does not match '204164699' in
request
>
> Is it configurable to get this information from the first and second
> authbyldap in stead of just the second one?
Hmm, I would have expected to see a DEBUG level message for each chack item
that failed, but not an INFO level. Of course you get a lot of other stuff at
DEBUG level too.
The code that controls this is in AuthGeneric.pm at about line 221:
$self->log($main::LOG_DEBUG, "$type
$Radius::AuthGeneric::reasons[$checkResult]: $reason");
This line logs a DEBUG mesasge whenever a check item is violated. You may want
to change it to LOG_INFO?
>
> ---
>
> Searching for DEFAULT:
>
> [08/Jun/1999:12:49:47 +0200] conn=557 op=1849 SRCH base="o=Universiteit
> van Amst
> erdam,c=Nl" scope=2 filter="(uid=DEFAULT)"
>
> If a user is not found then radiator searches for DEFAULT, that's a lot
> of extra searches that slow down the proces.
> Can I get rid of the searching for "DEFAULT" completely?
Not right now.
>
> ---
>
> Performance. In the log I see:
>
> Tue Jun 8 01:48:13 1999: WARNING: Could not find a handler: request
> is ignored
>
> Has that got to do with the fact that ldap connections are done
> synchronously? Does it indicate a performance problem?
No, it means that Radiator could not find a Realm or Handler clause to match
the incoming request. I would have a close look at the request that casued that
(if possible) and see whether or not you need to adjust your configuration.
The most likely cause is an incorrectly typed realm when someone is trying to
log in.
>
> ---
>
> I hope you can help me with these questions.
I hope that helps.
Cheers.
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.