subject:"Re\: \(RADIATOR\) ldap"

Re: [RADIATOR] LDAP forwarding to two Active Directory Servers

2014-05-07 Thread Heikki Vatiainen

On 05/07/2014 07:46 PM, CLAdirect - Sergei Kortscheff wrote:

> A hotspot service uses forms authentication to validate users against an
> Active Directory server, using LDAP port 389, so far so good.
> 
> The problem begins when we require to authenticate against two active
> directory servers on two separate domains, since the WiFi solution only
> allows to associate one single server to authenticate maybe I could use
> radiator as a proxy to relay all LDAP data to both Active Directory servers.
> 
> Can something like this be done? 

Maybe something like this would work:

  AuthByPolicy ContinueUntilAccept

  # Settings for AD 1

  # Settings for AD 2

The above would try AD 1 first and if it does not accept the attempt
(password is wrong, the AD itself is unreachable, anything else), then
AD 2 would be tried.

Note: this works for plain password based authentication (PAP) where no
Access-Challenges are needed.

There are other possible AuthByPolicies too. Please see the reference
manual for the details.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] LDAP shadowExpire

2014-02-04 Thread Robert Fisher

You could accomplish this in a PostSearchHook.   The documentation
includes an example for adding a reply item based off a multiplied value,
so guessing something like:

PostSearchHook sub {
 my $shadowExpire = $_[4]->get('shadowExpire');
 $_[3]->get_check->add_attr("Expiration", $shadowExpire * 86400);
}

Robert Fisher
Systems Administrator
Sitestar Internet Services

On 2/4/2014 10:11 AM, Fabio Prina wrote:
> Hi All,
>
> I'm using posixAccount/shadowAccount users in a LDAP and I would like to use 
> the shadowExpire attribute to check the Expiration ... but the value is 
> expressed days since the 01/01/1970 and not seconds
>
> Maybe is a stupid question but is there a way to use this attribute? Like 
> multiply by 86400 before the check
>
> Thanks
> --
> Fabio
> ___
> radiator mailing list
> [email protected]
> http://www.open.com.au/mailman/listinfo/radiator

___
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] LDAP, crypt, hook

2011-05-16 Thread Heikki Vatiainen

On 05/16/2011 11:14 AM, [email protected] wrote:

Hello Roman,

> We use Radiator for authentication WPA2 wireless via LDAP.
> 
> Users passwords are stored inside LDAP in CRYPT form and we have a
> possibility to receive the same CRYPTed string from a clear-text
> password by executing
> 
> crypt  
> 
> in perl script.

See the reference manual for version 4.8 (ref.pdf) and there AuthBy
LDAP2 and sections "5.37.11 PasswordAttr" and "5.37.12
EncryptedPasswordAttr". If your crypt passwords do not start with
{crypt} you can use something like this:

TranslatePasswordHook sub { return "{crypt}$_[0]"; }

See also goodies/ldap.cfg for an LDAP authentication configuration example.

> I.e. first according to User-Name in NAS-request we need to receive an
> answer from LDAP, then execute script and then we need to compare the
> resulting crypted string with  and only after
> all this send a reply to NAS.
> 
> But we don't know how can it be done in Radiator conf-file, what hook we
> need to use to achieve the result.

Radiator should be able to do what you require when you configure AuthBy
LDAP2 and configure appropriate PasswordAttr or EncryptedPasswordAttr

See also ref.pdf sections "13.1.1 User-Password, Password" and "13.1.2
Encrypted-Password" for more about how Radiator interprets various
password formats.

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] ldap + starttls fails

2011-02-07 Thread Heikki Vatiainen

On 02/06/2011 09:20 PM, James wrote:

> I'm having some issues getting Radiator to bounce off of an LDAP
> server with STARTTLS. Note that authentication works fine if I disable
> both SSL and STARTTLS against my OpenDS LDAP server.

The config below does client-authentiated TLS handshake. That is, both
the client and server exchange certificates. If you only want to verify
the server certificate, remove SSLCAClientKey and SSLCAClientCert from
your config.

A common configuration is for the client to verify server certificate
against CA certificate in SSLCAFile and then authenticate to the LDAP
server with AuthDN and AuthPassword.

Please note that the SSLCA* settings are only for brining up the TLS/SSL
connection. They have nothing to do with authenticating Radiator to the
LDAP server.

> Here's the snippet of configuration used for :
> 
> 
> Identifier ldapAuth
> Host server.example.com
> BaseDN  
> UsernameAttruid
> HoldServerConnection
> UseTLS
> SSLCAClientCert certificates/client.cert.pem
> SSLCAClientKey certificates/client.key.pem

Remove these two lines above, unless you really want to do
client-authenticated TLS handshake.

> SSLCAFile certificates/ca.cert.pem
> Version 3
> 
> 
> The client certificates (client.cert.pem and client.key.pem) were
> generated by a CA I runrun, and the ca.cert.pem is actually a
> self-signed certificate that I obtained by doing an "openssl s_client
> -connect server.example.com:636". (the STARTTLS and SSL certificates
> are identical on the LDAP server)
> 
> When I enable UseTLS connectivity fails with the following error messages:
> 
> 
> Sun Feb  6 10:14:17 2011: DEBUG: Handling with Radius::AuthLDAP2: ldapAuth
> Sun Feb  6 10:14:17 2011: INFO: Connecting to server.example.com:389
> Sun Feb  6 10:14:17 2011: ERR: StartTLS failed: SSL connect attempt
> failed because of handshake
> problemserror::lib(0):func(0):reason(0)
> Sun Feb  6 10:14:17 2011: ERR: Could not open LDAP connection to
> server.example.com:389. Backing off for 600 seconds.
> Sun Feb  6 10:14:17 2011: DEBUG: AuthBy LDAP2 result: IGNORE, User
> database access error
> 
> 
> I did a bit of digging -- seems it's possible to disable certificate
> checking in Net::LDAP (although clearly not recommended). I modified
> the Ldap.pm file and changed the SSLVerify var from required to none;
> the exact same error still occurs. This doesn't make sense to me. The
> error should likely disappear if I've set "verify" to "none," no?
> 
> My goal is ultimately to change SSLCAFile to the self-signed
> certificate (gleaned from an "openssl s_client -connect"). Any
> thoughts on how to go about fixing this?
> 
> Thanks!
> ___
> radiator mailing list
> [email protected]
> http://www.open.com.au/mailman/listinfo/radiator

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] LDAP authentication, IBM Lotus Domino

2010-11-09 Thread Pekka . Panula

Hi

Thanks for help, i here have a working config for basic username/password 
checking from IBM Lotus Domino's LDAP.
I did have problem with default entry, because i dont have it, so Radiator 
did thousands of queries to LDAP, but NoDefault parameter helped there.

For reference, here is my config (parts of it):

NoDefault
Identifier DominoLDAP
Host 1.2.3.4

# You need AuthDN with Domino because anonymous cant get 
all LDAP attributes
# without authentication. Make a person doc in names.nsf
AuthDN  CN=ldaplogin,O=Sofor
AuthPasswordpassword

# Depends on your Domino config, we have /Sofor, 
so:
BaseDN  O=Sofor

# The SearchFilter parameter controls which records will
# be searched for matching users. %0 is replaced by
# UsernameAttr and %1 by the user name to be found
# SearchFilter (%0=%1)
# This works with Domino, maybe also cn=%U could work 
(needs testing)
SearchFilter (uid=%U)

# This is the LDAP attribute to match the radius user name
# (used as %0 in SearchFilter)
# not used atm, own SearchFilter (see up)
 UsernameAttrcn
#UsernameAttruid

# User password is encrypted with dominos own algorithm, u 
need this:
ServerChecksPassword

# AFAIK this works with Domino's LDAP task
HoldServerConnection
 
Version 3




 # Strip realm from username
RewriteUsername  s/^([...@]+).*/$1/
# do the auth
AuthBy DominoLDAP




Terveisin/Regards,
   Pekka Panula, Sofor Oy - Jatkuvat palvelut

___
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] LDAP authentication, IBM Lotus Domino

2010-11-08 Thread Heikki Vatiainen

On 11/08/2010 01:46 PM, Martin Burton wrote:
> Hi Pekka,
> 
> We normally do something along the lines of:

I'll add one more thing. We have successfully used HoldServerConnection
flag with AuthBy LDAP2, so Pekka, you may want to see if it works with
your LDAP server too. Please see section 5.36.17 in Radiator 4.7
reference manual for more.

In short, this keeps the TCP connection to LDAP server open, but not all
LDAP server work correctly if the same connection is used for multiple
searches. If it works, it should be good for performance. If it seems
not to work, just remove HoldServerConnection from the configuration.

We used it with Novell's eDirectory and LDAPS (SSL) connection with good
results. The manual has no mention for IBM, so this might be interesting
once initial evaluation has been done and further tuning is done.

> # Split the LDAP auth into its own clause since it's used in
> # many different realms
> 
> Identifier SangerLDAP
> Host xx.sanger.ac.uk
> BaseDN ou=x,dc=sanger,dc=ac,dc=uk
> UsernameAttr uid
> PasswordAttr userPassword
> # Ask the LDAP server to attempt to bind as the user,
>   # saves having to maintain auth credentials within this
>   # config file.
> ServerChecksPassword
> 
> 
> # Handle logins to cisco switches.
> # The switch details are held in the RADCLIENTLIST
> # MYSQL table with a default realm set in there.
> 
>   # Strip realm from username
> RewriteUsername  s/^([...@]+).*/$1/
> AuthBy SangerLDAP
> 
> 
> ...
> 
> 
>   ...
>   AuthBy SangerLDAP
>   ...
> 
> 
> ...
> 
> Hope that helps.
> 
> Regards,
> 
> Martin.
> 
> 
> On 08/11/10 10:53, [email protected] wrote:
>> Hi
>>
>> I am new to Radiator and we currently evaluating it. I am trying to use 
>> LDAP2 auth from IBM Lotus Domino LDAP-server  (without success yet).
>>
>> I am wondering how can i strip realm from username or how to set username, 
>> i have a working freeradius conf here:
>>
>>  ldap {
>> server = "1.2.3.4"
>> port = "399"
>> basedn = "o=Sparknet"
>> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>> base_filter = "(objectclass=person)"
>> ... 
>>  }
>>
>> How is that converted to Radiator?
>>
>> Terveisin/Regards,
>>Pekka Panula, Sofor Oy - Jatkuvat palvelut
>>
>>
>>
>>
>> ___
>> radiator mailing list
>> [email protected]
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> ___
> radiator mailing list
> [email protected]
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen, Arch Red Oy
+358 44 087 6547
___
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] LDAP authentication, IBM Lotus Domino

2010-11-08 Thread Martin Burton

Hi Pekka,

We normally do something along the lines of:

...

# Split the LDAP auth into its own clause since it's used in
# many different realms

Identifier SangerLDAP
Host xx.sanger.ac.uk
BaseDN ou=x,dc=sanger,dc=ac,dc=uk
UsernameAttr uid
PasswordAttr userPassword
# Ask the LDAP server to attempt to bind as the user,
# saves having to maintain auth credentials within this
# config file.
ServerChecksPassword


# Handle logins to cisco switches.
# The switch details are held in the RADCLIENTLIST
# MYSQL table with a default realm set in there.

# Strip realm from username
RewriteUsername  s/^([...@]+).*/$1/
AuthBy SangerLDAP


...


...
AuthBy SangerLDAP
...


...

Hope that helps.

Regards,

Martin.


On 08/11/10 10:53, [email protected] wrote:
> Hi
> 
> I am new to Radiator and we currently evaluating it. I am trying to use 
> LDAP2 auth from IBM Lotus Domino LDAP-server  (without success yet).
> 
> I am wondering how can i strip realm from username or how to set username, 
> i have a working freeradius conf here:
> 
>  ldap {
> server = "1.2.3.4"
> port = "399"
> basedn = "o=Sparknet"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> base_filter = "(objectclass=person)"
> ... 
>  }
> 
> How is that converted to Radiator?
> 
> Terveisin/Regards,
>Pekka Panula, Sofor Oy - Jatkuvat palvelut
> 
> 
> 
> 
> ___
> radiator mailing list
> [email protected]
> http://www.open.com.au/mailman/listinfo/radiator

-- 
Martin Burton
Senior Systems Administrator   \\\|||///
Special Projects Team \\  ^ ^  //
Wellcome Trust Sanger Institute(  6 6  )
-oOOo-(_)-oOOo---
  http://www.sanger.ac.uk



signature.asc
Description: OpenPGP digital signature
___
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Re: (RADIATOR) LDAP and PEAP

2003-12-19 Thread Hugh Irvine

Hello Berndt -

You cannot put a Realm clause inside a Handler.

It should look like this:



  RewriteUsername s/^(.*)\\(.*)/$2/

server
Host10.2.4.21
AuthDN  cn=admin, dc=tgm, dc=ac, dc=at
AuthPasswordpassword
BaseDN  dc=tgm, dc=ac, dc=at
UsernameAttrcn
PasswordAttrntPassword
Debug 255
EAPType MSCHAP-V2



There has been quite a bit of discussion on the mailing list, so you  
should check the archive:

	www.open.com.au/archives/radiator

regards

Hugh

On 20/12/2003, at 5:59 AM, Sevcik Berndt wrote:

I am really new to radiator and have problems to understand the
configuration files. I tries the ldap.cfg config and it workes (with
fred/fred). I tried the eap_peap.cfg and worked to (mikem/fred). Then I
tried to connect the two and now the problems start. Can someone help  
me
to build my first configuration from where I can than go further on.

Here my not working config (PEAP with MS-CHAPv2 und LDAP:

Foreground
LogStdout
LogDir  .
DbDir   .
Trace   4


Secret  xxx
DupInterval 0



  RewriteUsername s/^(.*)\\(.*)/$2/

  
server
Host10.2.4.21
AuthDN  cn=admin, dc=tgm, dc=ac, dc=at
AuthPasswordpassword
BaseDN  dc=tgm, dc=ac, dc=at
UsernameAttrcn
PasswordAttrntPassword
Debug 255
EAPType MSCHAP-V2

  



Filename %D/users
EAPType PEAP
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
SSLeayTrace 4


The output:

Fri Dec 19 20:49:23 2003: DEBUG: Packet dump:
*** Received from 10.2.12.101 port 1112 
Code:   Access-Request
Identifier: 152
Authentic:  <238>C<0><0>k<26><0><0>K@<0><0>F><0><0>
Attributes:
Message-Authenticator =
[<239><212><138>Ebm!m<199>:<167><10><233><153><25>
User-Name = "ACER-SEVCIK\sevcikb"
NAS-IP-Address = 10.2.12.101
NAS-Port = 2
NAS-Port-Type = Wireless-IEEE-802-11
Calling-Station-Id = "00-04-23-77-4b-a3"
EAP-Message = <2><2><0><24><1>ACER-SEVCIK\sevcikb
Framed-MTU = 1000
Fri Dec 19 20:49:23 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Fri Dec 19 20:49:23 2003: DEBUG:  Deleting session for
ACER-SEVCIK\sevcikb, 10.2.12.101, 2
Fri Dec 19 20:49:23 2003: DEBUG: Handling with Radius::AuthLDAP2:
Fri Dec 19 20:49:23 2003: DEBUG: Handling with EAP: code 2, 2, 24
Fri Dec 19 20:49:23 2003: DEBUG: Response type 1
Fri Dec 19 20:49:23 2003: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
Fri Dec 19 20:49:23 2003: DEBUG: Access challenged for
ACER-SEVCIK\sevcikb: EAP MSCHAP-V2 Challenge
Fri Dec 19 20:49:23 2003: DEBUG: Packet dump:
*** Sending to 10.2.12.101 port 1112 
Code:   Access-Challenge
Identifier: 152
Authentic:  <238>C<0><0>k<26><0><0>K@<0><0>F><0><0>
Attributes:
EAP-Message =
<1><3><0>#<26><1><3><0><30><16><202>; 
+YY<227><233>KJ<136>[<172><159><197><147><130>ITS-Test1
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Fri Dec 19 20:49:23 2003: DEBUG: Packet dump:
*** Received from 10.2.12.101 port 1112 
Code:   Access-Request
Identifier: 153
Authentic:  <190>(<0><0><213><18><0><0>><18><0><0><153>r<0><0>
Attributes:
Message-Authenticator =
2avy<165>Y<232><175>Y9<195><144><180>Hk<161>
User-Name = "ACER-SEVCIK\sevcikb"
State = ""
NAS-IP-Address = 10.2.12.101
NAS-Port = 2
NAS-Port-Type = Wireless-IEEE-802-11
Calling-Station-Id = "00-04-23-77-4b-a3"
Framed-MTU = 1000
EAP-Message = <2><3><0><6><3><25>
Fri Dec 19 20:49:23 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Fri Dec 19 20:49:23 2003: DEBUG:  Deleting session for
ACER-SEVCIK\sevcikb, 10.2.12.101, 2
Fri Dec 19 20:49:23 2003: DEBUG: Handling with Radius::AuthLDAP2:
Fri Dec 19 20:49:23 2003: DEBUG: Handling with EAP: code 2, 3, 6
Fri Dec 19 20:49:23 2003: DEBUG: Response type 3
Fri Dec 19 20:49:23 2003: INFO: EAP Nak desires type 25
Fri Dec 19 20:49:23 2003: DEBUG: EAP result: 1, Desired EAP type 25 not
permitted
Fri Dec 19 20:49:23 2003: INFO: Access rejected for  
ACER-SEVCIK\sevcikb:
Desired EAP type 25 not permitted
Fri Dec 19 20:49:23 2003: DEBUG: Packet dump:
*** Sending to 10.2.12.101 port 1112 
Code:   Access-Reject
Identifier: 153
Authentic:  <190>(<0><0><213><18><0><0>><18><0><0><153>r<0><0>
Attributes:
Reply-Message = "Request

Re: (RADIATOR) Ldap Issues

2003-12-07 Thread Hugh Irvine

Hello José -

Have you tried using "Fork" in the AuthBy clause? Why do you say it 
doesn't work?

I myself am not sure whether "Fork" will work or not, but you can do 
some testing to find out.

Alternatively you can use multiple instances of Radiator (possibly on 
multiple hosts) with a load balancer in front. You may find the AuthBy 
ROUNDROBIN/VOLUMEBALANCE/LOADBALANCE clauses useful for this. See 
section 6.43 in the Radiator 3.7.1 reference manual.

At the very least you should run one instance for authentication and 
another instance for accounting.

regards

Hugh

On 07/12/2003, at 9:07 PM, José Borges Ferreira wrote:

Hi!

I have a system that provide me a crippled ldap interface to 
authenticate users. So far so good.
The problem is that that  system takes about 500 ms to respond, 
altought i can  make  parallel  resquests and get a throughput of 80 
auths/sec.
Since i cant fork LDAP auth requests which alternatives do i got to 
have better performace in Radiator?

José Borges Ferreira

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP COnnection

2003-11-12 Thread Hugh Irvine

Hello Jaskaran -

Can you please send me a trace 4 debug showing what is happening?

thanks

Hugh

On 13/11/2003, at 3:04 AM, jsingh wrote:

Hello Hugh

  I understand that Radiator is supposed to drop the connection after  
it connects and talks to the LDAP Server. But I can see a connection  
for each of my incoming requests. I changed the configuration file for  
Radiator to sustain one connection, which is not the ideal situation  
as far as my project is concerned. I would like to know if I am  
missing something in my config or is this a bug in radiator. I am  
attaching my config without the secrets. I am using Radiator-3.5 on  
solaris 8 with perl 5.6.1

Thanks

 

Foreground

LogStdout

LogDir    /var/log/radius3.5.1 

DbDir   .

Trace   4

PidFile     /var/log/radius3.5.1/radiusd.pid

AuthPort    11645

AcctPort    11646

DefineGlobalVar Max 7200

DictionaryFile /usr/local/adm/src/Radiator-3.5/dictionary

 

# Clients to suit your site. ###



  Secret  xx

  DupInterval 0



##

 



  Secret x

  DupInterval 0



##



  Secret 

  DupInterval 0



#

 



  Secret xxx

  DupInterval 0



 



  #Description Cisco AS5300

  Secret x

  DupInterval 0





  #Description Cisco AS5300

  Secret 

  DupInterval 1





Secret

DupInterval 0



 



    Identifier  CheckLDAP  

    Host  xxx.fdu.edu

    Port 636

    UseSSL

    SSLCAPath /usr/local/adm/etc/

    BaseDN dc=xxx, dc=xxx

    Scope subtree

    UsernameAttr  x

    PasswordAttr  userPassword

    ServerChecksPassword   

    Timeout 2

    FailureBackoffTime 30

    HoldServerConnection

    #CheckAttr cn

 

    #AuthAttrDef ipaddress,Framed-IP-Address,reply

 

    AddToReply Framed-Protocol = PPP,\

      Framed-Routing = None,\

      Framed-MTU = 1500,\

  Framed-Compression = Van-Jacobson-TCP-IP,\

  Service-Type = Framed-User,\

  Idle-Timeout = 300

 

    Debug 255

 

  
### 
##



 

  Identifier  Block-Time-SQL

  DBSource dbi:mysql::localhost

  DBUsername   xx

  DBAuth   xxx

  DefaultSimultaneousUse 1

  AccountingTable x

  AuthSelect Select Time_Left from RADUSERS where User_Name='%n'

  AuthColumnDef 0, Session-Timeout,reply

 

  AcctSQLStatement Update RADUSERS set Time_Left=Time_Left  
-'%{Acct-Session-Time}'  \

    where User_Name='%n';

 

 

  
### 
#



  Identifier REQUEST

  DBSource dbi:mysql::localhost

  DBUsername xx 

  DBAuth    xx

  LogSuccess 

  SuccessQuery insert into RADAUTHLOG (TIME_STAMP,USERNAME,TYPE)  
values ('%l','%n',1)

  LogFailure

  FailureQuery insert into RADAUTHLOG  
(TIME_STAMP,USERNAME,TYPE,REASON) values ('%l','%n',0,%1)   
### 
##



  AuthByPolicy ContinueWhileAccept

  PreAuthHookfile:"/usr/local/adm/bin/filename.pl"

  AuthBy CheckLDAP

  AuthBy Block-Time-SQL

  AuthLog REQUEST  

  MaxSessions 1

  PostAuthHookfile:"/usr/local/adm/bin/filename.pl"

  SessionDatabase SQLDB

  




  AccountingHandled

  AuthByPolicy ContinueWhileAccept

  PreAuthHookfile:"/usr/local/adm/bin/filename.pl"

  AuthBy CheckLDAP

  AuthBy Block-Time-SQL

  PostAuthHookfile:"/usr/local/adm/bin/filename.pl"

  MaxSessions 1

  SessionDatabase SQLDB

  AcctLogFileName /var/radius/Acct

  
###



    Identifier SQLDB

    DBSource   dbi:mysql:xxx:localhost

    DBUsername x

    DBAuth x



 

 

 

Jaskaran Singh

University Systems & Security

Fairleigh Dickinson University

Teaneck,NJ 07666

 

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements o

RE: (RADIATOR) LDAP+md5

2003-10-28 Thread Munkhammar Jan

I had the same problem and found that you need to have "MD" in {MD5} as
capital letters. Change {md5}$1$41a6a36598a0acd0d0c3aac95edc7b35 to
{MD5}$1$41a6a36598a0acd0d0c3aac95edc7b35 and it will work.

cheers, \\Jan

-Original Message-
From: deden purnamahadi [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 28, 2003 10:01 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: (RADIATOR) LDAP+md5

This is my config file :

Secret  mysecret
DupInterval 0

RewriteUsername s/^([EMAIL PROTECTED]).*/$1/

#   NoDefault
Version 3
Hostmail
Port389
AuthDN  cn=root,o=ISP,c=IX
AuthPasswordsecret
BaseDN  o=ISP,c=IX
UsernameAttruid
PasswordAttruserPassword
AuthAttrDef servicetype,Service-Type,check
AuthAttrDef address,Frame-IP-Address,reply

This is the error message when I try with user 'farida' password 'farida' 
md5 encryption :

Tue Oct 28 15:55:56 2003: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Oct 28 15:55:56 2003: DEBUG: Rewrote user name to farida
Tue Oct 28 15:55:56 2003: DEBUG:  Deleting session for farida, 203.63.154.1,

1234
Tue Oct 28 15:55:56 2003: DEBUG: Handling with Radius::AuthLDAP2:
Tue Oct 28 15:55:56 2003: INFO: Connecting to mail, port 389
Tue Oct 28 15:55:56 2003: INFO: Attempting to bind to LDAP server mail:389)
Tue Oct 28 15:55:56 2003: DEBUG: LDAP got result for 
uid=farida,ou=isp,o=topnet,c=ID
Tue Oct 28 15:55:56 2003: DEBUG: LDAP got userPassword: 
{md5}$1$41a6a36598a0acd0d0c3aac95edc7b35
Tue Oct 28 15:55:56 2003: DEBUG: Radius::AuthLDAP2 looks for match with 
farida
Tue Oct 28 15:55:56 2003: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Tue Oct 28 15:55:56 2003: INFO: Connecting to mail, port 389
Tue Oct 28 15:55:56 2003: INFO: Attempting to bind to LDAP server mail:389)
Tue Oct 28 15:55:56 2003: DEBUG: No entries for DEFAULT found in LDAP 
database
Tue Oct 28 15:55:56 2003: INFO: Access rejected for farida: Bad Password
Tue Oct 28 15:55:56 2003: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 32864 

Anyone can help ?

Thx in advance

Warmest regards

ddn

_
Enjoy MSN 8 patented spam control and more with MSN 8 Dial-up Internet 
Service.  Try it FREE for one month!   http://join.msn.com/?page=dept/dialup

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP+md5

2003-10-28 Thread deden purnamahadi

GOT IT ! I have to use {MD5} (all in capital) in password attributes.
Thx to Chanaka dan Hugh !!


Warmest regards

ddn





From: Hugh Irvine <[EMAIL PROTECTED]>
To: "deden purnamahadi" <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: (RADIATOR) LDAP+md5
Date: Tue, 28 Oct 2003 20:13:01 +1100
Hello Deden -

You do not need the "{md5}" prefix on your password, as there is already 
the "$1$" prefix.

Please see section 13.1.1 in the Radiator 3.7.1 reference manual 
("doc/ref.html").

regards

Hugh


_
Add MSN 8 Internet Software to your current Internet access and enjoy 
patented spam control and more.  Get two months FREE! 
http://join.msn.com/?page=dept/byoa

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP+md5

2003-10-28 Thread deden purnamahadi

Hello Deden -

You do not need the "{md5}" prefix on your password, as there is already 
the "$1$" prefix.

this one using another user, without $1$.
I shouldn't use file "users" when I use LDAP, right ?


Tue Oct 28 16:30:39 2003: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Oct 28 16:30:39 2003: DEBUG: Rewrote user name to benny
Tue Oct 28 16:30:39 2003: DEBUG:  Deleting session for benny, 203.63.154.1, 
1234
Tue Oct 28 16:30:39 2003: DEBUG: Handling with Radius::AuthLDAP2:
Tue Oct 28 16:30:40 2003: INFO: Connecting to mail, port 389
Tue Oct 28 16:30:40 2003: INFO: Attempting to bind to LDAP server mail:389)
Tue Oct 28 16:30:40 2003: DEBUG: LDAP got result for 
uid=benny,ou=isp,o=topnet,c=ID
Tue Oct 28 16:30:40 2003: DEBUG: LDAP got userPassword: 
{md5}42f4b247702c99bda0fc7bcc41c70d19
Tue Oct 28 16:30:40 2003: DEBUG: Radius::AuthLDAP2 looks for match with 
benny
Tue Oct 28 16:30:40 2003: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Tue Oct 28 16:30:40 2003: INFO: Connecting to mail, port 389
Tue Oct 28 16:30:40 2003: INFO: Attempting to bind to LDAP server mail:389)
Tue Oct 28 16:30:40 2003: DEBUG: No entries for DEFAULT found in LDAP 
database
Tue Oct 28 16:30:40 2003: INFO: Access rejected for benny: Bad Password
Tue Oct 28 16:30:40 2003: DEBUG: Packet dump:



_
Concerned that messages may bounce because your Hotmail account has exceeded 
its 2MB storage limit? Get Hotmail Extra Storage! 
http://join.msn.com/?PAGE=features/es

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP+md5

2003-10-28 Thread Hugh Irvine

Hello Deden -

You do not need the "{md5}" prefix on your password, as there is 
already the "$1$" prefix.

Please see section 13.1.1 in the Radiator 3.7.1 reference manual 
("doc/ref.html").

regards

Hugh

On 28/10/2003, at 8:01 PM, deden purnamahadi wrote:

This is my config file :


   Secret  mysecret
   DupInterval 0


   RewriteUsername s/^([EMAIL PROTECTED]).*/$1/
   
#   NoDefault
   Version 3
   Hostmail
   Port389
   AuthDN  cn=root,o=ISP,c=IX
   AuthPasswordsecret
   BaseDN  o=ISP,c=IX
   UsernameAttruid
   PasswordAttruserPassword
   AuthAttrDef servicetype,Service-Type,check
   AuthAttrDef address,Frame-IP-Address,reply
   
   



This is the error message when I try with user 'farida' password 
'farida' md5 encryption :

Tue Oct 28 15:55:56 2003: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Oct 28 15:55:56 2003: DEBUG: Rewrote user name to farida
Tue Oct 28 15:55:56 2003: DEBUG:  Deleting session for farida, 
203.63.154.1, 1234
Tue Oct 28 15:55:56 2003: DEBUG: Handling with Radius::AuthLDAP2:
Tue Oct 28 15:55:56 2003: INFO: Connecting to mail, port 389
Tue Oct 28 15:55:56 2003: INFO: Attempting to bind to LDAP server 
mail:389)
Tue Oct 28 15:55:56 2003: DEBUG: LDAP got result for 
uid=farida,ou=isp,o=topnet,c=ID
Tue Oct 28 15:55:56 2003: DEBUG: LDAP got userPassword: 
{md5}$1$41a6a36598a0acd0d0c3aac95edc7b35
Tue Oct 28 15:55:56 2003: DEBUG: Radius::AuthLDAP2 looks for match 
with farida
Tue Oct 28 15:55:56 2003: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Tue Oct 28 15:55:56 2003: INFO: Connecting to mail, port 389
Tue Oct 28 15:55:56 2003: INFO: Attempting to bind to LDAP server 
mail:389)
Tue Oct 28 15:55:56 2003: DEBUG: No entries for DEFAULT found in LDAP 
database
Tue Oct 28 15:55:56 2003: INFO: Access rejected for farida: Bad 
Password
Tue Oct 28 15:55:56 2003: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 32864 

Anyone can help ?

Thx in advance



Warmest regards

ddn

_
Enjoy MSN 8 patented spam control and more with MSN 8 Dial-up Internet 
Service.  Try it FREE for one month!   
http://join.msn.com/?page=dept/dialup

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) ldap

2003-09-01 Thread Munkhammar Jan




Siemens DirX  J

  -Original Message-From: Jeremy L. Mordkoff 
  [mailto:[EMAIL PROTECTED]Sent: Friday, August 29, 2003 5:40 
  PMTo: [EMAIL PROTECTED]Subject: (RADIATOR) 
  ldap
  
  A little off topic, but I will 
  strive to make it appropriate J
   
  Is there an ldap server that's as 
  easy to use and reliable as Radiator? Our server will support radius 
  and ldap soon..
   
  JLM
   
   
  Jeremy Mordkoff
  Tatara Systems
  978-206-0808 
  (direct)
  978-206-0888 
  (fax)
   
  injustice anywhere threatens justice everywhere -- Dr. 
  Martin Luther King

Re: (RADIATOR) ldap

2003-09-01 Thread Denis Pavani

We use openldap and it works perfectly.
Bye
Hugh Irvine wrote:

Hello Jeremy -

I would be very interested in any answers to this too.

regards

Hugh

On Saturday, Aug 30, 2003, at 01:40 Australia/Melbourne, Jeremy L. 
Mordkoff wrote:

A little off topic, but I will strive to make it appropriateJ

 

Is there an ldap server that’s as easy to use and reliable as 
Radiator? Our server willsupportradius and ldap soon……

 

JLM

 

 

Jeremy Mordkoff

Tatara Systems

978-206-0808 (direct)

978-206-0888 (fax)

 

injustice anywhere threatens justice everywhere -- Dr. Martin Luther 
King

 


NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--

Denis Pavani
CINECA-Comunicazioni e Sistemi Distribuiti
NOC - Network Operations Center
phone:+39 0516171953 / fax:+39 0516132198
http://www.cineca.it

"Siamo pagati per adattarci, improvvisare e raggiungere lo scopo"
 -- Gunny Highway 

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) ldap

2003-08-30 Thread Bon sy

Hi Jeremy and Hugh,
Why not try to post this challenge to ldap discussion forum like 

http://www.ldapguru.org/

and others? ;)

Bon


On Sat, 30 Aug 2003, Hugh Irvine wrote:

> 
> Hello Jeremy -
> 
> I would be very interested in any answers to this too.
> 
> regards
> 
> Hugh
> 
> 
> On Saturday, Aug 30, 2003, at 01:40 Australia/Melbourne, Jeremy L. 
> Mordkoff wrote:
> 
> > A little off topic, but I will strive to make it appropriateJ
> >
> >  
> >
> > Is there an ldap server thats as easy to use and reliable as 
> > Radiator? Our server willsupportradius and ldap soon
> >
> >  
> >
> > JLM
> >
> >  
> >
> >  
> >
> > Jeremy Mordkoff
> >
> > Tatara Systems
> >
> > 978-206-0808 (direct)
> >
> > 978-206-0888 (fax)
> >
> >  
> >
> > injustice anywhere threatens justice everywhere -- Dr. Martin Luther 
> > King
> >
> >  
> >
> >
> 
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) ldap

2003-08-30 Thread Hugh Irvine

Hello Jeremy -

I would be very interested in any answers to this too.

regards

Hugh

On Saturday, Aug 30, 2003, at 01:40 Australia/Melbourne, Jeremy L. 
Mordkoff wrote:

A little off topic, but I will strive to make it appropriateJ

?

Is there an ldap server that’s as easy to use and reliable as 
Radiator? Our server willsupportradius and ldap soon……

?

JLM

?

?

Jeremy Mordkoff

Tatara Systems

978-206-0808 (direct)

978-206-0888 (fax)

?

injustice anywhere threatens justice everywhere -- Dr. Martin Luther 
King

?


NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP SSL Connection

2003-07-10 Thread Hugh Irvine


Hello Jack -

Are you getting any error messages from Perl?

You can run radiusd from the command line to see what is happening:

perl radiusd -foreground -log_stdout -trace 4 -config_file ..

Please send a copy of the configuration file together with the trace 4 debug and any error messages.

regards

Hugh


On Friday, Jul 11, 2003, at 05:44 Australia/Melbourne, jsingh wrote:

I have gone through the steps once again to check my install, don’t see any problems. Yet I still can’t connect through SSL to ldap and now over the normal port 389 all the passwords are going in wrong. Does anyone have installation steps for the Radiator on Sun Solaris 8 box I can compare with? Any suggestions ?

thanks

?

jack

?



NB: have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

RE: (RADIATOR) LDAP SSL Connection

2003-07-10 Thread jsingh









Hi

 I did install the newer perl-ldap0.29 but
to no avail I still can’t create a SSL connection my ldap server.

Same error as before “ERR: Could not
open LDAP connection” . I wrote my own script using the IO::Socket::SSL
and am able to create a socket and do other functions.

Any help is really appreciated.

Thanks

jack

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Hugh Irvine
Sent: Wednesday, July
 09, 2003 6:24 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) LDAP SSL
Connection

 


Hello Jack -

Have you installed the prerequisite perl modules to connect to your LDAP
server?

See section 6.35 in the Radiator 3.6 reference manual
("doc/ref.html").

regards

Hugh


On Thursday, Jul 10, 2003, at 06:46 Australia/Melbourne, jsingh
wrote:

Hi

 I have ported over my Radiator
installation to a different box and now my Secure LDAP connection does not
work. I did create new certificate for the new box but to no avail. I tried
using the old certificate but to no avail. I am attaching my trace 4 debug. Any
suggestions are welcome

Thanks

Wed Jul  916:26:422003: DEBUG:
Handling with Radius::AuthLDAP2: CheckLDAP

Wed Jul  916:26:422003: INFO:
Connecting to webmail.fdu.edu, port 19636

Wed Jul  916:26:422003: ERR: Could
not open LDAP connection to webmail.fdu.edu, port 19636. Backing off for 30
seconds.

 

jack

 




NB: have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

Re: (RADIATOR) LDAP SSL Connection

2003-07-09 Thread Hugh Irvine


Hello Jack -

Have you installed the prerequisite perl modules to connect to your LDAP server?

See section 6.35 in the Radiator 3.6 reference manual ("doc/ref.html").

regards

Hugh


On Thursday, Jul 10, 2003, at 06:46 Australia/Melbourne, jsingh wrote:

Hi

 I have ported over my Radiator installation to a different box and now my Secure LDAP connection does not work. I did create new certificate for the new box but to no avail. I tried using the old certificate but to no avail. I am attaching my trace 4 debug. Any suggestions are welcome

Thanks

Wed Jul  916:26:422003: DEBUG: Handling with Radius::AuthLDAP2: CheckLDAP

Wed Jul  916:26:422003: INFO: Connecting to webmail.fdu.edu, port 19636

Wed Jul  916:26:422003: ERR: Could not open LDAP connection to webmail.fdu.edu, port 19636. Backing off for 30 seconds.

 

jack

 



NB: have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

Re: (RADIATOR) LDAP & MySQL Authentication.

2002-12-06 Thread Charles Alexander McCain



Thanks Hugh,

It is now working beautifully.

- al





On Fri, 6 Dec 2002, Hugh Irvine wrote:

>
> Hello AL -
>
> You would do something like this:
>
> # define AuthBy clauses
>
> 
>   Identifier CheckSQL
>   .
> 
>
> 
>   Identifier CheckLDAP
>   .
> 
>
> .
>
> # define Realms or Handlers
>
> 
>   AuthByPolicy ContinueAlways
>   AuthBy CheckSQL
>   AuthBy CheckLDAP
>   .
> 
>
> This topic has also been discussed on the mailing list many times, so
> check the archive site:
>
>   www.open.com.au/archives/radiator
>
> regards
>
> Hugh
>
>
> On Friday, Dec 6, 2002, at 01:32 Australia/Melbourne, Charles Alexander
> McCain wrote:
>
> > Hey guys,
> > I've looked for documentation on this question but can't seem to find
> > any.
> > I am trying to make radiator grab the users and information from
> > mysql. I
> > would like to grab the passwords from ldap .
> > Is there any way to do this ?
> >
> > Thanks,
> > AL
> >
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on [EMAIL PROTECTED]
> > To unsubscribe, email '[EMAIL PROTECTED]' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
>

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP & MySQL Authentication.

2002-12-05 Thread Hugh Irvine


Hello AL -

You would do something like this:

# define AuthBy clauses


	Identifier CheckSQL
	.



	Identifier CheckLDAP
	.


.

# define Realms or Handlers


	AuthByPolicy ContinueAlways
	AuthBy CheckSQL
	AuthBy CheckLDAP
	.


This topic has also been discussed on the mailing list many times, so 
check the archive site:

	www.open.com.au/archives/radiator

regards

Hugh


On Friday, Dec 6, 2002, at 01:32 Australia/Melbourne, Charles Alexander 
McCain wrote:

Hey guys,
I've looked for documentation on this question but can't seem to find 
any.
I am trying to make radiator grab the users and information from 
mysql. I
would like to grab the passwords from ldap .
Is there any way to do this ?

Thanks,
AL


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.



--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP return code

2002-11-18 Thread Hugh Irvine


Hello Bruno -

You should probably use a PostSearchHook with LDAP.

Have a look at section 6.35.20 in the Radiator 3.3.1 reference manual.

regards

Hugh


On Tuesday, Nov 19, 2002, at 05:20 Australia/Melbourne, Bruno Tiago 
Rodrigues wrote:


Hi all

We're starting to use radiator on a test environment where we're using 
some
strange e-commerce vendor implementation of a database which uses the 
LDAP
protocol for querying and returning data.

I've been able to query all the data I want to, using the standard 
authby
LDAP2 configuration, but the decision whether the user will be able to 
use
the service is given by the return code of the LDAP search operation 
(they
use return=0 for a "good" user and a custom error message return=99 
for a
"bad" user). Is there any easy way to accomplish this (i.e.: any 
special
variable I can use which holds the return code)?

I can just use the authby LDAP2 definition to connect to the server 
and then
use a post Auth hook to analyse the return code... Is this a clean 
approach
to my problem?

thanks in advance


___
Vizzavi Mail powered by Vodafone - http://www.vizzavi.pt
Virus protected by TrendMicro - http://www.antivirus.com
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.



--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP and CHAP

2002-07-16 Thread Hugh Irvine

Hello Dan -

You can use the PasswordLogFileName construct to log all the passwords.

See section 6.16.7 in the Radiator 3.1 reference manual.

regards

Hugh

At 15:13 + 16/7/02, Dan Melomedman wrote:
>Hugh Irvine writes:
>>
>>Hello Dan -
>>You can use CHAP with any database, however the password stored 
>>therein *must* be in cleartext, as you can only use cleartext 
>>passwords with CHAP.
>>regards
>>Hugh
>
>The problem is all our dial-ups have hashed passwords, and returning 
>them to clear text would be impossible.
>The problem is Broadwing now requires CHAP for some of the POPs, and 
>doesn't for others. Are there any work-arounds for this? Thanks. ===
>Archive at http://www.open.com.au/archives/radiator/
>Announcements on [EMAIL PROTECTED]
>To unsubscribe, email '[EMAIL PROTECTED]' with
>'unsubscribe radiator' in the body of the message.

-- 

NB: I am travelling this week, so there may be delays in our correspondence.

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP and CHAP

2002-07-16 Thread Dan Melomedman

Ayotunde Itayemi writes: 

> Hi, 
> 
> Depending on your patience, number of clients and time, you could get Mobius
> Freeware's
> w32crack - run it continuously for a few days after extracting the username
> and encrypted

This cannot help us, since we do not use NT user database. 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP and CHAP

2002-07-16 Thread Ayotunde Itayemi

Hi,

Depending on your patience, number of clients and time, you could get Mobius
Freeware's
w32crack - run it continuously for a few days after extracting the username
and encrypted
passwords from the windows 2K server or NT using pwdump2 or pwdump3 and hey
presto! All passwords in cleartext!

Regards,
Tunde Itayemi.

- Original Message -
From: "Dan Melomedman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 16, 2002 4:13 PM
Subject: Re: (RADIATOR) LDAP and CHAP

> Hugh Irvine writes:
>
> >
> > Hello Dan -
> >
> > You can use CHAP with any database, however the password stored therein
> > *must* be in cleartext, as you can only use cleartext passwords with
CHAP.
> >
> > regards
> >
> > Hugh
>
> The problem is all our dial-ups have hashed passwords, and returning them
to
> clear text would be impossible.
>
> The problem is Broadwing now requires CHAP for some of the POPs, and
doesn't
> for others. Are there any work-arounds for this? Thanks.
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP and CHAP

2002-07-16 Thread Dan Melomedman

Hugh Irvine writes: 

> 
> Hello Dan - 
> 
> You can use CHAP with any database, however the password stored therein 
> *must* be in cleartext, as you can only use cleartext passwords with CHAP. 
> 
> regards 
> 
> Hugh

The problem is all our dial-ups have hashed passwords, and returning them to 
clear text would be impossible. 

The problem is Broadwing now requires CHAP for some of the POPs, and doesn't 
for others. Are there any work-arounds for this? Thanks. 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP and CHAP

2002-07-15 Thread Hugh Irvine

Hello Dan -

You can use CHAP with any database, however the password stored therein 
*must* be in cleartext, as you can only use cleartext passwords with 
CHAP.

regards

Hugh

On Tuesday, July 16, 2002, at 02:05 AM, Dan Melomedman wrote:

> Does Radiator allow CHAP passwords with LDAP databases? Thanks.
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP and MySQL?

2002-05-16 Thread Hugh Irvine



Hello Sven -

It is very simple to do what you describe (and its not dirty at all...):

# define AuthBy clauses


Identifier LDAPAuthentication
.



Identifier SQLAccounting
.
# empty AuthSelect to disable authentication
AuthSelect
# configure accounting
AccountingTable ACCOUNTING
AcctColumnDef .
..



Identifier DoAuthenticationAndAccounting
AuthByPolicy ContinueAlways
AuthBy SQLAccounting
AuthBy LDAPAuthentication
.


# define Realm(s) or Handler(s)


.
AuthBy DoAuthenticationAndAccounting
...


...

If you have any other questions, please feel free to ask.

regards

Hugh



On Thu, 16 May 2002 20:54, Sven Holz wrote:
> Hi List
>
> Following Situation:
>
> We're going to setup LDAP for authentication running on Linux.
> Session- and Accounting Data should be written to a MySQL-Database.
>
> If I understood the Docu of radiator correctly, accounting on MySQL is
> just possible when authentication is done by MySQL also.
>
> Is this correct?
>
> So my question, if it is like that, is how can i solve the problem, LDAP
> is really important for us, because of many other systems with
> LDAP-Interfaces.
>
> Every solution (even dirty ones ;-) are highly welcome.
>
> Thanks a lot
>
> with kind regards || Mit freundlichen Gruessen
>
>   Sven Holz

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP questions

2001-12-26 Thread Hugh Irvine



Hello Ben -

Sorry - now I'm confused - what exactly do you want to do with usernames and 
passwords? And on the Handler question, no you cannot have Handlers inside 
other Handlers. Again if you can give me a bit more detail I will try to 
suggest something sensible.

regards

Hugh


On Thu, 27 Dec 2001 05:03, Ben Carter wrote:
> Hi Hugh,
>
> Merry Christmas!!!
>
> > On Sun, 23 Dec 2001 10:48, Ben Carter wrote:
> > > Hi all,
> > >
> > > I was wondering if anyone could help me out with the following:
> > >
> > > 1) I have "HoldServerConnection" in my  clauses but
> >
> > radiator
> >
> > > still seems to re-connect each time to LDAP. The LDAP server I am using
> >
> > is
> >
> > > iplanets (formerly Netscape) and handles multiple searches in a single
> > > connection with no problem.
> >
> > What version of Radiator are you running? There is a mention of this in
> > the
> > history file ("doc/history.html").
>
> We're running version 2.19!
>
> > > 2) We have a bunch of dialup ports with another provider to give us
> > > unmetered connections for customers of that telco. Most of these users
> >
> > need
> >
> > > to be authenticated using only their Calling-Station-ID (i.e. they DO
> >
> > NOT
> >
> > > have a username and password). We also have a few people who have a
> > > username and password as a way of bypassing the Calling-Station-ID
> >
> > check.
> >
> > > My problem is Radiator expects passwordattr to be defined and insists
> > > on checking the username and password with those in ldap and if they
> > > don't match it rejects them. Obviously in an environment were we are
> > > using the calling-station-id to authenticate the user this is always
> > > going to fail
> >
> > as
> >
> > > they don't supply a username and password!! We have got around this
> >
> > problem
> >
> > > in a very dirty way by using a PostSearchHook to fool radiator into
> > > thinking this is an EAP request (my config file is below). Is there a
> > > better way to do this or can the mandatory checking of username and
> > > password be removed from radiator? (you also get an LDAP error every
> >
> > time
> >
> > > the user has no password and it can't find the passwordattr in LDAP)
> > >
> > > Also, from the config file below, it shows that we check to see if the
> > > username and password (the override Calling-Station-ID users) is valid
> > > BEFORE we check Calling-Station-ID. As our customers are split approx
> >
> > 98%
> >
> > > calling-station-id authenticated versus 2% user/pass authenticated this
> >
> > is
> >
> > > very inefficient resulting in 2 LDAP queries for 98% of users, if we
> >
> > could
> >
> > > have it the other way around it would be only 1 search for the 98% and
> > > 2 searches for the 2%.
> >
> > I think I would add a PreClientHook that would check to see if there is a
> > User-Name and User-Password present in the Access-Request, and if not
> > then add the Calling-Station-Id as both the User-Name and User-Password.
> >
> > Then you can add a Handler that checks for a User-Name that is all digits
> > and
> > uses the appropriate AuthBy clause.
> >
> > There are some example hooks in the file "goodies/hooks.txt".
>
> Ah my fault, when I said the users don't have a username and password
> that's not exactly correct. They don't have one for their dialup connection
> (its done via CSID) but they do have one for the mail accounts, so users
> being users they use those (or some weird derivative that only they know
> how they came up with) for their dialup. So I can't check if the username
> and password is NULL without calling all the users and saying "Hey, don't
> put a username or password in your dialup" which we could of done when we
> first started but there are too many users to do that now!!
>
> On the Handler thing, can you have a handler in a handler as I'm production
> testing Handlers by NAS-group to implement per-NAS-group session limits?
>
> Ben.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) LDAP questions

2001-12-26 Thread Ben Carter


Hi Hugh,

Merry Christmas!!!

> 
> On Sun, 23 Dec 2001 10:48, Ben Carter wrote:
> > Hi all,
> >
> > I was wondering if anyone could help me out with the following:
> >
> > 1) I have "HoldServerConnection" in my  clauses but
> radiator
> > still seems to re-connect each time to LDAP. The LDAP server I am using
> is
> > iplanets (formerly Netscape) and handles multiple searches in a single
> > connection with no problem.
> >
> 
> What version of Radiator are you running? There is a mention of this in
> the
> history file ("doc/history.html").

We're running version 2.19!

> 
> > 2) We have a bunch of dialup ports with another provider to give us
> > unmetered connections for customers of that telco. Most of these users
> need
> > to be authenticated using only their Calling-Station-ID (i.e. they DO
> NOT
> > have a username and password). We also have a few people who have a
> > username and password as a way of bypassing the Calling-Station-ID
> check.
> > My problem is Radiator expects passwordattr to be defined and insists on
> > checking the username and password with those in ldap and if they don't
> > match it rejects them. Obviously in an environment were we are using the
> > calling-station-id to authenticate the user this is always going to fail
> as
> > they don't supply a username and password!! We have got around this
> problem
> > in a very dirty way by using a PostSearchHook to fool radiator into
> > thinking this is an EAP request (my config file is below). Is there a
> > better way to do this or can the mandatory checking of username and
> > password be removed from radiator? (you also get an LDAP error every
> time
> > the user has no password and it can't find the passwordattr in LDAP)
> >
> > Also, from the config file below, it shows that we check to see if the
> > username and password (the override Calling-Station-ID users) is valid
> > BEFORE we check Calling-Station-ID. As our customers are split approx
> 98%
> > calling-station-id authenticated versus 2% user/pass authenticated this
> is
> > very inefficient resulting in 2 LDAP queries for 98% of users, if we
> could
> > have it the other way around it would be only 1 search for the 98% and 2
> > searches for the 2%.
> >
> 
> I think I would add a PreClientHook that would check to see if there is a
> User-Name and User-Password present in the Access-Request, and if not then
> add the Calling-Station-Id as both the User-Name and User-Password.
> 
> Then you can add a Handler that checks for a User-Name that is all digits
> and
> uses the appropriate AuthBy clause.
> 
> There are some example hooks in the file "goodies/hooks.txt".
> 

Ah my fault, when I said the users don't have a username and password that's
not exactly correct. They don't have one for their dialup connection (its
done via CSID) but they do have one for the mail accounts, so users being
users they use those (or some weird derivative that only they know how they
came up with) for their dialup. So I can't check if the username and
password is NULL without calling all the users and saying "Hey, don't put a
username or password in your dialup" which we could of done when we first
started but there are too many users to do that now!!

On the Handler thing, can you have a handler in a handler as I'm production
testing Handlers by NAS-group to implement per-NAS-group session limits?

Ben.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP questions

2001-12-23 Thread Hugh Irvine



Hello Ben -

On Sun, 23 Dec 2001 10:48, Ben Carter wrote:
> Hi all,
>
> I was wondering if anyone could help me out with the following:
>
> 1) I have "HoldServerConnection" in my  clauses but radiator
> still seems to re-connect each time to LDAP. The LDAP server I am using is
> iplanets (formerly Netscape) and handles multiple searches in a single
> connection with no problem.
>

What version of Radiator are you running? There is a mention of this in the 
history file ("doc/history.html").

> 2) We have a bunch of dialup ports with another provider to give us
> unmetered connections for customers of that telco. Most of these users need
> to be authenticated using only their Calling-Station-ID (i.e. they DO NOT
> have a username and password). We also have a few people who have a
> username and password as a way of bypassing the Calling-Station-ID check.
> My problem is Radiator expects passwordattr to be defined and insists on
> checking the username and password with those in ldap and if they don't
> match it rejects them. Obviously in an environment were we are using the
> calling-station-id to authenticate the user this is always going to fail as
> they don't supply a username and password!! We have got around this problem
> in a very dirty way by using a PostSearchHook to fool radiator into
> thinking this is an EAP request (my config file is below). Is there a
> better way to do this or can the mandatory checking of username and
> password be removed from radiator? (you also get an LDAP error every time
> the user has no password and it can't find the passwordattr in LDAP)
>
> Also, from the config file below, it shows that we check to see if the
> username and password (the override Calling-Station-ID users) is valid
> BEFORE we check Calling-Station-ID. As our customers are split approx 98%
> calling-station-id authenticated versus 2% user/pass authenticated this is
> very inefficient resulting in 2 LDAP queries for 98% of users, if we could
> have it the other way around it would be only 1 search for the 98% and 2
> searches for the 2%.
>

I think I would add a PreClientHook that would check to see if there is a 
User-Name and User-Password present in the Access-Request, and if not then 
add the Calling-Station-Id as both the User-Name and User-Password.

Then you can add a Handler that checks for a User-Name that is all digits and 
uses the appropriate AuthBy clause.

There are some example hooks in the file "goodies/hooks.txt".

regards

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP AUTH and MySQL Accounting

2001-10-05 Thread Hugh Irvine



Hello Andreas -

Have you got the correct AuthByPolicy set (as shown in my example)?

It should be AuthByPolicy ContinueAlways.

The trace file would seem to indicate that you are using the default, which 
is continue until accept or reject.

Either that or you have the AuthBy clauses in the wrong order - the AuthBy 
SQL that does the accounting must be before the AuthBy clause that actually 
does the authentication, so the result of the last AuthBy is the result of 
the authentication (again as shown in my example).

regards

Hugh
 

On Friday 05 October 2001 18:12, Andreas Häggander wrote:
> Hi again !
>
> >This is fairly straightforward to implement.
> >
> >Here is how to do it:
>
> I thought so to, but it still dont work.
>
> I used the config file you sent but i got:
>
> # Fri Oct  5 10:10:31 2001: DEBUG: Packet dump:
> *** Received from 212.73.0.14 port 49152 
> Code:   Access-Request
> Identifier: 76
> Authentic:  <0><0><12><133><0><0><20>~<0><0>i<9><0><0><2><220>
> Attributes:
>  User-Name = "[EMAIL PROTECTED]"
>  User-Password =
> "-T<206>_<241><222><29>R<10><194>v<190>i<17><196>3" Acct-Session-Id =
> "984c"
>  NAS-IP-Address = 212.73.0.14
>  Shasta-SGROUP = "Shasta 5000: iSOS (tm), 2.5.3.0"
>  Service-Type = Framed-User
>  Framed-Protocol = PPP
>  NAS-Port = 123965696
>
> Fri Oct  5 10:10:31 2001: DEBUG: Handling request with Handler
> 'Realm=DEFAULT' Fri Oct  5 10:10:31 2001: DEBUG: SQLSDB Deleting session
> for [EMAIL PROTECTED], 212.73.0.14, 123965696
> Fri Oct  5 10:10:31 2001: DEBUG: do query is: delete from RADONLINE where
> NASIDENTIFIER='212.73.0.14' and NASPORT=0123965696
>
> Fri Oct  5 10:10:31 2001: DEBUG: Handling with Radius::AuthFILE: CheckFILE
> Fri Oct  5 10:10:31 2001: DEBUG: Radius::AuthFILE looks for match with
> [EMAIL PROTECTED]
> Fri Oct  5 10:10:31 2001: DEBUG: Query is: select NASIDENTIFIER, NASPORT,
> ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
> USERNAME='[EMAIL PROTECTED]'
>
> Fri Oct  5 10:10:31 2001: DEBUG: Radius::AuthFILE ACCEPT:
> Fri Oct  5 10:10:31 2001: DEBUG: Handling with Radius::AuthSQL
> Fri Oct  5 10:10:31 2001: INFO: Access rejected for mike@test:
> Authentication disabled
> Fri Oct  5 10:10:31 2001: DEBUG: Packet dump:
> *** Sending to 212.73.0.14 port 49152 
> Code:   Access-Reject
> Identifier: 76
> Authentic:  <0><0><12><133><0><0><20>~<0><0>i<9><0><0><2><220>
> Attributes:
>  Framed-IP-Address = 0.0.0.0
>  Framed-IP-Netmask = 0.0.0.0
>  Reply-Message = "Request Denied"
>
>
> I dont want to hold the user-table in mysql.
>
> /Andreas
>
> At 09:02 2001-10-05 +1000, Hugh Irvine wrote:
> >Hello Andreas -
> >
> >This is fairly straightforward to implement.
> >
> >Here is how to do it:
> >
> ># radius.cfg
> >
> >AuthPort1645
> >AcctPort1646
> >
> ># define Client(s)
> >
> >
> >  Secret  mysecret
> >  DupInterval 0
> >
> >
> ># define AuthBy(s)
> >
> >
> >Identifier CheckFILE
> >Filename  /usr/local/etc/users
> >DefaultSimultaneousUse 1
> >AcctLogFileName   /usr/local/etc/detail
> >
> >
> >
> > Identifier CheckLDAP
> > ..
> >
> >
> >
> >  Identifier AcctSQL
> >  DBSourcedbi:mysql:radius
> >  DBUsername  root
> >  DBAuth  hegge74
> >  AuthSelect
> >  AccountingTable ACCOUNTING
> >  AcctColumnDef   USERNAME,User-Name
> >  AcctColumnDef   TIME_STAMP,Timestamp,integer
> >  AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
> >  AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
> >  AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
> >  AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> >  AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
> >  AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
> >  AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
> >  AcctColumnDef   NASIDENTIFIER,NAS-Identifier
> >  AcctColumnDef   NASPORT,NAS-Port,integer
> >  AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
> >
> >
> ># define SessionDatabase
> >
> >
> >  Identifier SQLSDB
> >  DBSourcedbi:mysql:radius:localhost
> >  DBUsername  mysqluser
> >  DBAuth mysqlpasswd
> >
> >
> ># define Realm(s)
> >
> >
> >  AuthByPolicy ContinueAlways
> >  AuthBy AcctSQL
> >  AuthBy CheckLDAP
> >  SessionDatabase SQLSDB
> >
> >
> >
> >If you have any other questions, please ask.
> >
> >regards
> >
> >Hugh
> >
> >On Thursday 04 October 2001 22:36, Andreas Häggander wrote:
> > > Hi !
> > >
> > > I want use LDAP for Authentucation and store the Accounting in a MySQL
> > > database. At the same time i want to use a MySQL database for a session
> > > database.
> > >
> > > Is this possible ?
> > >
> > > I

Re: (RADIATOR) LDAP AUTH and MySQL Accounting

2001-10-05 Thread Andreas Häggander


Hi again !

>This is fairly straightforward to implement.
>
>Here is how to do it:

I thought so to, but it still dont work.

I used the config file you sent but i got:

# Fri Oct  5 10:10:31 2001: DEBUG: Packet dump:
*** Received from 212.73.0.14 port 49152 
Code:   Access-Request
Identifier: 76
Authentic:  <0><0><12><133><0><0><20>~<0><0>i<9><0><0><2><220>
Attributes:
 User-Name = "[EMAIL PROTECTED]"
 User-Password = "-T<206>_<241><222><29>R<10><194>v<190>i<17><196>3"
 Acct-Session-Id = "984c"
 NAS-IP-Address = 212.73.0.14
 Shasta-SGROUP = "Shasta 5000: iSOS (tm), 2.5.3.0"
 Service-Type = Framed-User
 Framed-Protocol = PPP
 NAS-Port = 123965696

Fri Oct  5 10:10:31 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Fri Oct  5 10:10:31 2001: DEBUG: SQLSDB Deleting session for [EMAIL PROTECTED], 
212.73.0.14, 123965696
Fri Oct  5 10:10:31 2001: DEBUG: do query is: delete from RADONLINE where 
NASIDENTIFIER='212.73.0.14' and NASPORT=0123965696

Fri Oct  5 10:10:31 2001: DEBUG: Handling with Radius::AuthFILE: CheckFILE
Fri Oct  5 10:10:31 2001: DEBUG: Radius::AuthFILE looks for match with 
[EMAIL PROTECTED]
Fri Oct  5 10:10:31 2001: DEBUG: Query is: select NASIDENTIFIER, NASPORT, 
ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME='[EMAIL PROTECTED]'

Fri Oct  5 10:10:31 2001: DEBUG: Radius::AuthFILE ACCEPT:
Fri Oct  5 10:10:31 2001: DEBUG: Handling with Radius::AuthSQL
Fri Oct  5 10:10:31 2001: INFO: Access rejected for mike@test: 
Authentication disabled
Fri Oct  5 10:10:31 2001: DEBUG: Packet dump:
*** Sending to 212.73.0.14 port 49152 
Code:   Access-Reject
Identifier: 76
Authentic:  <0><0><12><133><0><0><20>~<0><0>i<9><0><0><2><220>
Attributes:
 Framed-IP-Address = 0.0.0.0
 Framed-IP-Netmask = 0.0.0.0
 Reply-Message = "Request Denied"


I dont want to hold the user-table in mysql.

/Andreas


At 09:02 2001-10-05 +1000, Hugh Irvine wrote:

>Hello Andreas -
>
>This is fairly straightforward to implement.
>
>Here is how to do it:
>
># radius.cfg
>
>AuthPort1645
>AcctPort1646
>
># define Client(s)
>
>
>  Secret  mysecret
>  DupInterval 0
>
>
># define AuthBy(s)
>
>
>Identifier CheckFILE
>Filename  /usr/local/etc/users
>DefaultSimultaneousUse 1
>AcctLogFileName   /usr/local/etc/detail
>
>
>
> Identifier CheckLDAP
> ..
>
>
>
>  Identifier AcctSQL
>  DBSourcedbi:mysql:radius
>  DBUsername  root
>  DBAuth  hegge74
>  AuthSelect
>  AccountingTable ACCOUNTING
>  AcctColumnDef   USERNAME,User-Name
>  AcctColumnDef   TIME_STAMP,Timestamp,integer
>  AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>  AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>  AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>  AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>  AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>  AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>  AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>  AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>  AcctColumnDef   NASPORT,NAS-Port,integer
>  AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
>
>
># define SessionDatabase
>
>
>  Identifier SQLSDB
>  DBSourcedbi:mysql:radius:localhost
>  DBUsername  mysqluser
>  DBAuth mysqlpasswd
>
>
># define Realm(s)
>
>
>  AuthByPolicy ContinueAlways
>  AuthBy AcctSQL
>  AuthBy CheckLDAP
>  SessionDatabase SQLSDB
>
>
>
>If you have any other questions, please ask.
>
>regards
>
>Hugh
>
>
>On Thursday 04 October 2001 22:36, Andreas Häggander wrote:
> > Hi !
> >
> > I want use LDAP for Authentucation and store the Accounting in a MySQL
> > database. At the same time i want to use a MySQL database for a session
> > database.
> >
> > Is this possible ?
> >
> > I have tried this (AUTH by FILE and not LDAP for so long) , see below, but
> > i can´t get it working with the SessionDB and the Accunting.
> > A
> >
> >
> > radius.cfg
> >
> > AuthPort1645
> > AcctPort1646
> >
> > 
> >  Secret  mysecret
> >  DupInterval 0
> > 
> >
> > 
> >
> >  
> >Filename  /usr/local/etc/users
> >DefaultSimultaneousUse 1
> >AcctLogFileName   /usr/local/etc/detail
> >  
> >
> > 
> >
> >  DBSourcedbi:mysql:radius
> >  DBUsername  root
> >  DBAuth  hegge74
> >
> >  AccountingTable ACCOUNTING
> >  AcctColumnDef   USERNAME,User-Name
> >  AcctColumnDef   TIME_STAMP,Timestamp,integer
> >  AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
> >  AcctColumnDef   ACCT

Re: (RADIATOR) LDAP AUTH and MySQL Accounting

2001-10-04 Thread Hugh Irvine



Hello Andreas -

This is fairly straightforward to implement.

Here is how to do it:

# radius.cfg

AuthPort1645
AcctPort1646

# define Client(s)


 Secret  mysecret
 DupInterval 0


# define AuthBy(s)


   Identifier CheckFILE
   Filename  /usr/local/etc/users
   DefaultSimultaneousUse 1
   AcctLogFileName   /usr/local/etc/detail



Identifier CheckLDAP
..



 Identifier AcctSQL
 DBSourcedbi:mysql:radius
 DBUsername  root
 DBAuth  hegge74
 AuthSelect
 AccountingTable ACCOUNTING
 AcctColumnDef   USERNAME,User-Name
 AcctColumnDef   TIME_STAMP,Timestamp,integer
 AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
 AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
 AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
 AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
 AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
 AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
 AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
 AcctColumnDef   NASIDENTIFIER,NAS-Identifier
 AcctColumnDef   NASPORT,NAS-Port,integer
 AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address


# define SessionDatabase


 Identifier SQLSDB
 DBSourcedbi:mysql:radius:localhost
 DBUsername  mysqluser
 DBAuth mysqlpasswd


# define Realm(s)


 AuthByPolicy ContinueAlways
 AuthBy AcctSQL
 AuthBy CheckLDAP
 SessionDatabase SQLSDB



If you have any other questions, please ask.

regards

Hugh


On Thursday 04 October 2001 22:36, Andreas Häggander wrote:
> Hi !
>
> I want use LDAP for Authentucation and store the Accounting in a MySQL
> database. At the same time i want to use a MySQL database for a session
> database.
>
> Is this possible ?
>
> I have tried this (AUTH by FILE and not LDAP for so long) , see below, but
> i can´t get it working with the SessionDB and the Accunting.
> A
>
>
> radius.cfg
>
> AuthPort1645
> AcctPort1646
>
> 
>  Secret  mysecret
>  DupInterval 0
> 
>
> 
>
>  
>Filename  /usr/local/etc/users
>DefaultSimultaneousUse 1
>AcctLogFileName   /usr/local/etc/detail
>  
>
> 
>
>  DBSourcedbi:mysql:radius
>  DBUsername  root
>  DBAuth  hegge74
>
>  AccountingTable ACCOUNTING
>  AcctColumnDef   USERNAME,User-Name
>  AcctColumnDef   TIME_STAMP,Timestamp,integer
>  AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>  AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>  AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>  AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>  AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>  AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>  AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>  AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>  AcctColumnDef   NASPORT,NAS-Port,integer
>  AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
>
> 
> 
>
> 
>
>  DBSourcedbi:mysql:radius:localhost
>  DBUsername  mysqluser
>  DBAuth mysqlpasswd
>
> 
>
>
>
> Code:   Access-Request
> Identifier: 62
> Authentic:  <0><0>b<25><0><0>:<129><0><0>w<19><0><0>HS
> Attributes:
>  User-Name = "[EMAIL PROTECTED]"
>  User-Password =
> "<4><255>i<14><204>Ol<177><242>h<207><127><168><180><247><194>"
>  Acct-Session-Id = "983e"
>  NAS-IP-Address = x.x.x.x
>  Shasta-SGROUP = "Shasta 5000: iSOS (tm), 2.5.3.0"
>  Service-Type = Framed-User
>  Framed-Protocol = PPP
>  NAS-Port = 123965696
>
> Thu Oct  4 14:12:11 2001: DEBUG: Handling request with Handler
> 'Realm=DEFAULT' Thu Oct  4 14:12:11 2001: DEBUG:  Deleting session for
> [EMAIL PROTECTED], x.x.x.x, 123965696
> Thu Oct  4 14:12:11 2001: DEBUG: Handling with Radius::AuthFILE:
> Thu Oct  4 14:12:11 2001: DEBUG: Radius::AuthFILE looks for match with
> [EMAIL PROTECTED]
> Thu Oct  4 14:12:11 2001: DEBUG: Radius::AuthFILE ACCEPT:
> Thu Oct  4 14:12:11 2001: DEBUG: Access accepted for [EMAIL PROTECTED]
> Thu Oct  4 14:12:11 2001: DEBUG: Packet dump:
> *** Sending to 212.73.0.14 port 49152 
> Code:   Access-Accept
> Identifier: 62
> Authentic:  <0><0>b<25><0><0>:<129><0><0>w<19><0><0>HS
>
> Attributes:
>  Framed-IP-Address = 0.0.0.0
>  Framed-IP-Netmask = 0.0.0.0
>
>
> Thu Oct  4 14:12:11 2001: DEBUG: Packet dump:
> *** Received from x.x.x.x port 49153 
> Code:   Accounting-Request
> Identifier: 89
> Authentic:  <227>O#qn<4>9<238><209>3<253><138>
> Attributes:
>  Acct-Status-Type = Start
>

Re: (RADIATOR) LDAP Searchfilter rejects everyone!

2001-09-20 Thread Hugh Irvine



Hello Franklin -

First of all I would suggest that you upgrade to Radiator 2.18.4 which is the 
latest release. Then I will need to see a copy of your configuration file (no 
secrets) together with a trace 4 debug from Radiator showing what is going on.

You should also check to see if there is a more recent version of the Perl 
LDAP module that you are using.

regards

Hugh


On Thursday 20 September 2001 19:43, Franklin Kingma wrote:
> Hi,
>
> We upgraded openldap to v1.2.13 last week and since then the SearchFilter
> on our radius doesnt work anymore, everybody is rejected!
> We're using radiator 1.16.3. Is there anything I can do to make it work
> again?
>
>
> franklin
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) LDAP-Radiator hangs

2001-09-06 Thread Rolando Riley


I am running Radiator-2.15 and  Openldap-2.0.7 on a Sun netra with Solaris
7.

Radiator-2.15
openldap-2.0.7

R. Riley

-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]En
nombre de Hugh Irvine
Enviado el: Wednesday, September 05, 2001 5:21 PM
Para: Rolando Riley; [EMAIL PROTECTED]
Asunto: Re: (RADIATOR) LDAP-Radiator hangs



Hello Rolando -

It sounds like your LDAP server is causing the problem.

What version of Radiator are you running? On what hardware/software
platform?
And what LDAP server are you using?

thanks

Hugh


On Thursday 06 September 2001 07:24, Rolando Riley wrote:
> I have set auth to LDAP on my config and most of the times alll the
> authentications goes just fine.
> Although sometimes  Radiator "hangs" or "gets stucked"  eating 95.0 % of
> the CPU. At that point
> no user can auth and I have to do a kill -9 on radiusd to get it working
> well again. This is the logfile
> I have from it . I have done some debugging switching the trace to
> different modes ,  but I am clueless of what is
> causing this error.
>
> --
>
> Wed Sep  5 11:52:34 2001: WARNING: Unknown reply received in AuthRADIUS
for
> request 157 from 216.219.28.131:1645
> Wed Sep  5 11:56:43 2001: WARNING: Unknown reply received in AuthRADIUS
for
> request 204 from 216.219.28.10:11813
> Wed Sep  5 12:21:21 2001: WARNING: Unknown reply received in AuthRADIUS
for
> request 197 from 216.219.28.131:1645
> Wed Sep  5 12:28:10 2001: WARNING: Unknown reply received in AuthRADIUS
for
> request 163 from 216.219.28.131:1645
> Wed Sep  5 12:33:46 2001: WARNING: Unknown reply received in AuthRADIUS
for
> request 73 from 216.219.28.131:1645
> Wed Sep  5 12:36:17 2001: WARNING: Unknown reply received in AuthRADIUS
for
> request 161 from 216.219.28.131:1645
> Wed Sep  5 12:36:22 2001: WARNING: Unknown reply received in AuthRADIUS
for
> request 165 from 216.219.28.131:1646
> Wed Sep  5 12:57:06 2001: ERR: ldap search failed with error
> LDAP_PARAM_ERROR. Disconnecting from LDAP server.
> Wed Sep  5 12:57:12 2001: ERR: ldap search failed with error
> LDAP_PARAM_ERROR. Disconnecting from LDAP server.
> Wed Sep  5 12:57:18 2001: ERR: ldap search failed with error
> LDAP_PARAM_ERROR. Disconnecting from LDAP server.
> Wed Sep  5 12:59:59 2001: WARNING: Unknown reply received in AuthRADIUS
for
> request 61 from 216.219.28.131:1645
> Wed Sep  5 13:03:44 2001: WARNING: Unknown reply received in AuthRADIUS
for
> request 163 from 216.219.28.131:1645
> Wed Sep  5 13:42:10 2001: WARNING: Unknown reply received in AuthRADIUS
for
> request 55 from 216.219.28.131:1645
> Wed Sep  5 13:42:11 2001: WARNING: Unknown reply received in AuthRADIUS
for
> request 65 from 216.219.28.131:1645
> .
>
> This is the realm
>
>
>
> 
>
>
> 
> MaxSessions 1
> 
> # Tell Radiator how to talk to the LDAP server
> Hostxxx.xxx.yy.yy
>
> AuthDN  cn=admin, dc=Michigan, dc=com
> AuthPasswordsecret
>
> BaseDN  ou=state, dc=Michigan, dc=com
>
> UsernameAttruid
>
> PasswordAttruserPassword
>
> # You can use CheckAttr, ReplyAttr and AuthAttrDef
> # to specify check and reply attributes int eh LDAP
> # database. See the reference manual for more
> # information
>
> # These are the classic things to add to each users
> # reply to allow a PPP dialup session. It may be
> # different for your NAS. This will add some
> # reply items to everyone's reply
> #AddToReply Framed-Protocol = PPP,\
> #Framed-IP-Netmask = 255.255.255.255,\
> #Framed-Routing = None,\
> #Framed-MTU = 1500,\
> #Framed-Compression = Van-Jacobson-TCP-IP
>
> # You can enable debugging of the Net::LDAP
> # module with this:
> Debug 255
> 
>
> # Log accounting to the detail file in LogDir
> AcctLogFileName %L/detailu
> 
>
>
> ---
> Ing. Rolando Riley
> Administrador de Sistemas Unix
> AYAYAI.COM S.A.
> Tel: (507) 265-2424 ext. 408
> ---
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.

--
Radiator: the most porta

Re: (RADIATOR) LDAP-Radiator hangs

2001-09-05 Thread Hugh Irvine



Hello Rolando -

It sounds like your LDAP server is causing the problem.

What version of Radiator are you running? On what hardware/software platform? 
And what LDAP server are you using?

thanks

Hugh


On Thursday 06 September 2001 07:24, Rolando Riley wrote:
> I have set auth to LDAP on my config and most of the times alll the
> authentications goes just fine.
> Although sometimes  Radiator "hangs" or "gets stucked"  eating 95.0 % of
> the CPU. At that point
> no user can auth and I have to do a kill -9 on radiusd to get it working
> well again. This is the logfile
> I have from it . I have done some debugging switching the trace to
> different modes ,  but I am clueless of what is
> causing this error.
>
> --
>
> Wed Sep  5 11:52:34 2001: WARNING: Unknown reply received in AuthRADIUS for
> request 157 from 216.219.28.131:1645
> Wed Sep  5 11:56:43 2001: WARNING: Unknown reply received in AuthRADIUS for
> request 204 from 216.219.28.10:11813
> Wed Sep  5 12:21:21 2001: WARNING: Unknown reply received in AuthRADIUS for
> request 197 from 216.219.28.131:1645
> Wed Sep  5 12:28:10 2001: WARNING: Unknown reply received in AuthRADIUS for
> request 163 from 216.219.28.131:1645
> Wed Sep  5 12:33:46 2001: WARNING: Unknown reply received in AuthRADIUS for
> request 73 from 216.219.28.131:1645
> Wed Sep  5 12:36:17 2001: WARNING: Unknown reply received in AuthRADIUS for
> request 161 from 216.219.28.131:1645
> Wed Sep  5 12:36:22 2001: WARNING: Unknown reply received in AuthRADIUS for
> request 165 from 216.219.28.131:1646
> Wed Sep  5 12:57:06 2001: ERR: ldap search failed with error
> LDAP_PARAM_ERROR. Disconnecting from LDAP server.
> Wed Sep  5 12:57:12 2001: ERR: ldap search failed with error
> LDAP_PARAM_ERROR. Disconnecting from LDAP server.
> Wed Sep  5 12:57:18 2001: ERR: ldap search failed with error
> LDAP_PARAM_ERROR. Disconnecting from LDAP server.
> Wed Sep  5 12:59:59 2001: WARNING: Unknown reply received in AuthRADIUS for
> request 61 from 216.219.28.131:1645
> Wed Sep  5 13:03:44 2001: WARNING: Unknown reply received in AuthRADIUS for
> request 163 from 216.219.28.131:1645
> Wed Sep  5 13:42:10 2001: WARNING: Unknown reply received in AuthRADIUS for
> request 55 from 216.219.28.131:1645
> Wed Sep  5 13:42:11 2001: WARNING: Unknown reply received in AuthRADIUS for
> request 65 from 216.219.28.131:1645
> .
>
> This is the realm
>
>
>
> 
>
>
> 
> MaxSessions 1
> 
> # Tell Radiator how to talk to the LDAP server
> Hostxxx.xxx.yy.yy
>
> AuthDN  cn=admin, dc=Michigan, dc=com
> AuthPasswordsecret
>
> BaseDN  ou=state, dc=Michigan, dc=com
>
> UsernameAttruid
>
> PasswordAttruserPassword
>
> # You can use CheckAttr, ReplyAttr and AuthAttrDef
> # to specify check and reply attributes int eh LDAP
> # database. See the reference manual for more
> # information
>
> # These are the classic things to add to each users
> # reply to allow a PPP dialup session. It may be
> # different for your NAS. This will add some
> # reply items to everyone's reply
> #AddToReply Framed-Protocol = PPP,\
> #Framed-IP-Netmask = 255.255.255.255,\
> #Framed-Routing = None,\
> #Framed-MTU = 1500,\
> #Framed-Compression = Van-Jacobson-TCP-IP
>
> # You can enable debugging of the Net::LDAP
> # module with this:
> Debug 255
> 
>
> # Log accounting to the detail file in LogDir
> AcctLogFileName %L/detailu
> 
>
>
> ---
> Ing. Rolando Riley
> Administrador de Sistemas Unix
> AYAYAI.COM S.A.
> Tel: (507) 265-2424 ext. 408
> ---
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP and Database

2001-07-03 Thread Hugh Irvine

Hello Olaf -

Sure - just configure an AuthBy LDAP clause and an AuthBy SQL clause, 
and do something like this in your configuration file:

# define AuthBy clauses

Identifier CheckLDAP
.

Identifier SQLAccounting
.

# define Handlers

AuthBy SQLAccounting
.

AuthBy CheckLDAP
.

regards

Hugh

At 16:37 +0200 01/7/3, Olaf Waitkus wrote:
>Hi all,
>sorry if you heard this one before:
>is it possible to authenticate by LDAP and write the accounting records
>to a SQL-Database at the same time?
>Thanks and regards
>Olaf
>
>===
>Archive at http://www.open.com.au/archives/radiator/
>Announcements on [EMAIL PROTECTED]
>To unsubscribe, email '[EMAIL PROTECTED]' with
>'unsubscribe radiator' in the body of the message.

-- 

NB: I am travelling this week, so there may be delays in our correspondence.

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Ldap groups

2001-06-05 Thread Hugh Irvine



Hello Eric -

You can supply your own SearchQuery in the AuthBy LDAP2 clause to do whatever 
you require. This has been discussed and examples have been posted to the 
Radiator mailing list, so have a look at the archive and do a search.

www.open.com.au/archives/radiator/

hth

Hugh


On Wednesday 06 June 2001 11:20, Eric Lackey wrote:
> Is there a way to use AuthByLDAP or AuthByLdap2 to authenticate to against
> an ldap group?  I am using Netscape Directory Server and have a dn like
> cn=Group1,ou=Groups,o=domain.com.  Within Group1, I have multiple
> uniquemember attributes that put specific users in that group.  I need to
> know if you can somehow tell Radiator to allow users to authenticate if
> they are in that group.  This is similar to PAM's pam_groupdn attribute, if
> you are familiar with it. If you need me to explain further, please let me
> know.
>
> Thanks,
>
> Eric Lackey
> ISDN-Net Operations
> [EMAIL PROTECTED]
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) LDAP with MIMEBASE64 and MD5 trouble

2001-02-07 Thread Ingvar Berg (ERA)


Are you sure you don't get CHAP password from the NAS?

/Ingvar

-Original Message-
From: Frederic Gargula [mailto:[EMAIL PROTECTED]]
Sent: den 7 februari 2001 16:26
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; Robin Gruyters; Claude Iyi Dogan
Subject: (RADIATOR) LDAP with MIMEBASE64 and MD5 trouble


Hi all,


I'm testing authentication with Radiator 2.17.1 on OpenLDAP 1.2.11 (each
on a separate sever, both on a private testing network), and I have
trouble with MD5 encryption.

On the LDAP server, passwords are stored in the form :

{MD5}ZviHb9U7k5r2YaTNG6QuTA==   [this format is known as MD5 with MIME]


Following the documentation, and particulary the sections 13.1.1 and
13.1.2, Radiator supports this encrypted format for both 'User-Password'
and 'Encrypted-Password' check items.

I've tried both, and I have :

-using 'User-Password' :

> 
> Tue Feb  6 10:19:12 2001: DEBUG: Handling with Radius::AuthLDAP2
> Tue Feb  6 10:19:12 2001: DEBUG: Connecting to 192.168.100.10, port 389
> Tue Feb  6 10:19:12 2001: DEBUG: LDAP got result for
> [EMAIL PROTECTED],ou=users,domain=easynet.fr,vip=easynet-fr,o=easynet.net
> Tue Feb  6 10:19:12 2001: DEBUG: LDAP got userpassword: {MD5}ZviHb9U7k5r2YaTNG6QuTA==
> Tue Feb  6 10:19:12 2001: DEBUG: LDAP got idletime: 0
> Tue Feb  6 10:19:12 2001: DEBUG: LDAP got ippool: 1
> Tue Feb  6 10:19:12 2001: DEBUG: LDAP got ipnetmask: 255.255.255.255
> Tue Feb  6 10:19:12 2001: DEBUG: LDAP got iproutemetric: 2
> Tue Feb  6 10:19:12 2001: DEBUG: Radius::AuthLDAP2 looks for match with 
>[EMAIL PROTECTED]
> Tue Feb  6 10:19:12 2001: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password

-using 'Encrypted-Password' :

>  Tue Feb  6 10:50:25 2001: DEBUG: Handling with Radius::AuthLDAP2
> Tue Feb  6 10:50:25 2001: DEBUG: Connecting to 192.168.100.10, port 389
> Tue Feb  6 10:50:25 2001: DEBUG: LDAP got result for
> [EMAIL PROTECTED],ou=users,domain=easynet.fr,vip=easynet-fr,o=easynet.net
> Tue Feb  6 10:50:25 2001: DEBUG: LDAP got userpassword:{MD5}ZviHb9U7k5r2YaTNG6QuTA==
> Tue Feb  6 10:50:25 2001: DEBUG: LDAP got idletime: 0
> Tue Feb  6 10:50:25 2001: DEBUG: LDAP got ippool: 1
> Tue Feb  6 10:50:25 2001: DEBUG: LDAP got ipnetmask: 255.255.255.255
> Tue Feb  6 10:50:25 2001: DEBUG: LDAP got iproutemetric: 2
> Tue Feb  6 10:50:25 2001: DEBUG: Radius::AuthLDAP2 looks for match with
> [EMAIL PROTECTED]
> Tue Feb  6 10:50:25 2001: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password

I'm sure of my password, and I don't understand why Radiator still
rejects my requests.

I've seen many past posts in this mailing list, and I remember Robin
Gruyters's one, on Jun 13 2000 :

> hi,
> 
> Because we use in our LDAP for password md5 with MIME64
> (userpassword={MD5}qP0OV/oViFka8YbFMWEWeg==)
> We had to make some changes in the Radius.pm file. Here is a patch:
> 
> --- Radius.pm   Tue Jun 13 10:25:10 2000
> +++ Radiusmd5.pmTue Jun 13 10:26:12 2000
> @@ -708,6 +708,18 @@
> # via Apache::AuthenRadius or similar
> $result = &check_digest_password($user, $submitted_pw,
> $pw);
> }
> +elsif ($pw =~ /^{MD5}/)
> +{
> +require MIME::Base64;
> +require Digest::MD5;
> +my $context = new MD5;
> +$context->reset();
> +$context->add("$submitted_pw");
> +
> +my $tmppw =  "{MD5}" .
> MIME::Base64::encode_base64($context->digest());
> +chomp($tmppw);
> +$result = ($tmppw eq $pw);
> +}
> else
> {
> # Just ordinary old plaintext, look for an exact match
> 

I don't understand why he has to patch Radius.pm, because following the
Class Hierarchy on section 17.5, the AuthLDAP2 inherits from
AuthGeneric.

Nowhere else the {MD5} encryption appears :

morrison:/usr/local/src/Radiator-2.17.1/Radius$ grep "{MD5}" *
AuthGeneric.pm:elsif ($pw =~ /^{MD5}/)
AuthGeneric.pm: $cmp_pass = '{MD5}' .
MIME::Base64::encode_base64($md5->digest());
AuthGeneric.pm:  $cmp_pass = "{MD5}" . $md5->hexdigest();


I've put my config file in attachment.


Is the inheritance working ?
Does anyone have any idea for my trouble ? 



-- 
Frederic Gargula
Systems Designer
Easynet France

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP lookup causes Radiator to exit

2001-02-04 Thread Hugh Irvine



Hello Stuart -

The manual recommends using AuthBy LDAP2 with the perl-ldap module, have you 
tried using that instead? Section 6.32 in the reference manual.

regards

Hugh

On Monday 05 February 2001 14:01, Stuart Clifton wrote:
> I know I am only currently evaluating the product but please assist.
> I have installed the NET::LDAPapi Module 1.42 running under Perl
> 5.005_03 and Solaris 8
> I installed the NET::LDAPapi Module with Netscape's LDAP SDK 3.0 (as 4.1
> did not work)
>
> I am at the point after the make test ie the final test (point 12
> http://www.open.com.au/radiator/install.html)
> This test against the file authentication works fine everytime but
> against my Netscape Directory Server 4.12 I get the following (there are
> 2 configurations and 2 results listed):
>
> CONFIGURATION 1
>
>
> # myldap.cfg
> #
> # You should consider this file to be a starting point only
> # $Id: ldap.cfg,v 1.2 2000/02/15 07:07:54 mikem Exp $
>
> Foreground
> LogStdout
> LogDir  .
> DbDir   .
> Trace   4
>
> # You will probably want to change this to suit your site.
> 
> Secret  mysecret
> DupInterval 0
> 
>
> 
> 
> # Tell Radiator how to talk to the LDAP server
> Hostdir01.dingoblue.com.au
>
> # You will only need these if your LDAP server
> # requires authentication:
> #AuthDN  cn=Directory Manager
> #AuthPassword - Replaced
>
> # This the top of the search tree where users
> # will be found. It should match the configuration
> # of your server
> BaseDN  o=ISP
>
> # This is the attribute to match the radius user name
> UsernameAttruid
> # If you dont specify ServerChecksPassword, you
> # need to tell Radiator wjhich attribute contains
> # the password. It can be plaintext or encrypted
> #EncryptedPasswordAttruserPassword
> PasswordAttruserpassword
>
> # You can use CheckAttr, ReplyAttr and AuthAttrDef
> # to specify check and reply attributes int eh LDAP
> # database. See the reference manual for more
> # information
>
> # These are the classic things to add to each users
> # reply to allow a PPP dialup session. It may be
> # different for your NAS. This will add some
> # reply items to everyone's reply
> AddToReply Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> Framed-Routing = None,\
> Framed-MTU = 1500,\
> Framed-Compression = Van-Jacobson-TCP-IP
>
> # You can enable debugging of the Net::LDAP
> # module with this:
> #Debug 255
> 
> # Log accounting to the detail file in LogDir
> AcctLogFileName ./detail
> 
>
>
> RESULT
>
>
> # perl radiusd -config_file goodies/myldap.cfg
> This Radiator license will expire on 2001-03-01
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/radiator/ordering.html
>
> Mon Feb  5 13:31:07 2001: INFO: Server started: Radiator 2.17.1 on
> auth01 (DEMO)
> Mon Feb  5 13:31:22 2001: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 33632 
> Code:   Access-Request
> Identifier: 67
> Authentic:  1234567890123456
> Attributes:
> User-Name = "fred"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> NAS-Port-Type = Async
> User-Password =
> "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
>
> Mon Feb  5 13:31:22 2001: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Mon Feb  5 13:31:22 2001: DEBUG:  Deleting session for fred,
> 203.63.154.1, 1234
> Mon Feb  5 13:31:22 2001: DEBUG: Handling with Radius::AuthLDAP
> Mon Feb  5 13:31:22 2001: DEBUG: Connecting to dir01.dingoblue.com.au,
> port 389
> Mon Feb  5 13:31:22 2001: DEBUG: LDAP got result for uid=fred,o=ISP
> Mon Feb  5 13:31:22 2001: DEBUG: LDAP got userpassword:
> {SHA}MQF6ciZl5K/OWGlQ9ClEptMx2r8=
> Mon Feb  5 13:31:22 2001: DEBUG: Radius::AuthLDAP looks for match with
> fred
> #
>
> CONFIGURATION 2
>
>
> # myldap.cfg
> #
> # You should consider this file to be a starting point only
> # $Id: ldap.cfg,v 1.2 2000/02/15 07:07:54 mikem Exp $
>
> Foreground
> LogStdout
> LogDir  .
> DbDir   .
> Trace   4
>
> # You will probably want to change this to suit your site.
> 
> Secret  mysecret
> DupInterval 0
> 
>
> 
> 
> # Tell Radiator how to talk to the LDAP server
>

Re: (RADIATOR) LDAP

2001-01-09 Thread Hugh Irvine

Hello Gordon -

On Wednesday 10 January 2001 07:48, Gordon L. Foster wrote:

> > I am currently using LDAP for my authentication. My base DN is o=otz.net.
> Is it possible to specify organizational units as well? Example:
>
> Base DN ou=freemail, o=otz.net
>

It might be simpler to specify a SearchFilter.

Section 6.32.13 in the Radiator 2.17.1 reference manual.

regards

Hugh

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Re: Radiator/LDAP hangs on binary username! (repost, upon request)

2000-12-04 Thread Hugh Irvine

Hello Dave -

At 8:10 -0500 4/12/00, Dave Kitabjian wrote:
>  > From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
>>
>>  Hello Dave -
>>
>>  At 11:11 -0500 30/11/00, Dave Kitabjian wrote:
>>  >I believe it's a BUG.
>>  >
>>  >Please see my post from last week:
>>  >
>>  >   "Radiator/LDAP hangs on binary username!"
>>
>>
>>  I don't believe I have seen this - can you repost?
>>
>
>Attached is a repost.
>
>>As I have said may times, you are much better off just rejecting
>>usernames that contain rubbish. This topic has been discussed on the
>>list several times and I have posted examples. Have a look at the
>>archive:
>
>I'm sorry, I had searched the archive for "binary username" and other
>things, but I couldn't find anything. I'll take another look.
>

OK - I did see it, but I saw some other follow-ups so I didn't add 
any comments.

You should probably search for RewriteUsername, or character class, 
or negative lookahead assertion (which was incorrect, but I followed 
up with a correction).

hth

Hugh
-- 

NB: I am travelling this week, so there may be delays in our correspondence.

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP Queries, using groups

2000-10-20 Thread Hugh Irvine



Hello Michael -

On Sat, 21 Oct 2000, [EMAIL PROTECTED] wrote:
> I'm pretty new to this mailing-list - sorry if this question was answered
> before - but I haven't found a complete answer when searching the archives.
> 
> First I'd like to state that I'm pretty happy with Radiator - very good product
> at reasonable price!
> 

Thanks for the kind words.

> My problem is that I have to authenticate a group of users against Win2k
> Domain and other LDAP-sources.
> Due to the fact that Radiator is (AND WILL) be running on Unix I'm not
> able to use the ADSI AuthHandler.
> But I succeeded in authenticating Win2k-Users thru the Authby-LDAP2.
> The only thing that is left is the following:
> HOW CAN I check if a particular user is a member of a specified LDAP-group?
> It works fine if the user is just in one single group (LDAP-memberof has only
> one instance) but if the user belongs to multiple groups then only
> the first group is checked against (see below).
> 
> my part of config-file:
>  (test-group is initialized in the preauth-hook w/ the groupname)
>  AuthAttrDef memberof, test-group, check
> 
> Line 445 in AuthLDAP2.pm (Radiator 2.16.3):
>  $user->get_check->add_attr($attrib, $$valsÄ0ü);
> 
> ANY HINTS OR SUGGESTIONS FOR A WORKING SOLUTION???
> or should I write my own handler ???
> 

I think the simplest thing would be to use the "SearchFilter" parameter to
specify your own LDAP query (w/o the PreAuthHook). This has been discussed on
the list previously - do a search on "SearchFilter".

> Best regards,
> 
> Mit freundlichen Grueszen
> 

Danke -

Hugh

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.



===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP retries?

2000-10-19 Thread Hugh Irvine



Hello Mark -

On Fri, 20 Oct 2000, Mark O'Leary wrote:
> Hopefully an easily-answered query.
> 
> My Radiator installation authenticates using a customised LDAP module (see 
> posts to this list passim). This module is designed to fire off a single 
> authentication attempt.
> 
> However, the administrators of the LDAP server that I connect to (for complex 
> reasons, I don't 'own' the database I authenticate against) are seeing 
> multiple authentication attempts in rapid succession. 
> 
> This presents problems, because if a dialup users accidentally presents the 
> wrong password, the LDAP server is hit multiple times with that password, and 
> the underlying NDS user object that is being authenticated against registers 
> this as multiple bad attempts at access, and invokes a security lockout 
> (intended to defend against brute force cracking attempts). 
> 
> In effect, one mistake locks the user out for a couple of hours until the 
> security lock expires, even if they subsequently corerect their error.
> 
> As I mentioned my module makes only one authentication attempt per 
> invocation, but:
> 
> 1) Could the core Radiator code be calling it more than once for the same 
> login attempt?
> 
> or (as seems more likely)
> 
> 2) is the users PC getting impatient waiting for the authentication response, 
> and re-trying whilst radiator is still coping with the previous request?
> 
> (put another way, is a single radius request from the RAS triggering multiple 
> LDAP responses from Radiator, or is Radiator issuing one LDAP per request as 
> desired, but being repeatedly requested to do this via radius traffic from 
> the RAS?)
> 
> Any suggestions as to how I can ensure only one LDAP authentication request 
> per dialup login? Its causing us big problems here 8(
> 

I will need to see a copy of your configuration file (no secrets) together with
a trace 4 debug showing what is happening.

thanks

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.



===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP woes

2000-08-29 Thread Christian Hammers

Hello Tu

> >>  On Sat, 26 Aug 2000, Tu Nguyen wrote:
> >>  >  Has anyone out there successful in using Radiator to authenticate
> >>  > with LDAP? I can't seem to get radiator to send the password.
> >>  > Below is the log when using radpwtst for user=joe with an incorrect
> >>  > password. I always get "Access-Accept", even with a wrong password.
> >>  > Sniffer trace shows no sign of the password either.

Mail me if you still have problems, I run radius with LDAP here w/o problems.
(Wrong passwords causes a deny here, wrong usernames also)

bye,

 -christian-

Sample:

LDAP:
cn=8W10829,ou=dialupAccounts,ou=10829,ou=kunden,dc=westend,dc=com
cn=8W10829
objectclass=westendRadiusAccount
radiususername=8W10829
radiuspassword=
radiusprofile=westend-dynamic-dialup

profiles.westend:
westend-dynamic-dialup:cisco: \
Framed-Protocol=PPP, \
Framed-Routing=None, \
Service-Type=Framed-User, \
cisco-avpair="ip:dns-servers=212.117.64.86 212.117.67.2", \
cisco-avpair="ip:addr-pool=setup_pool"
[similar for :ascend: as we have two dialin router, Ascend MAX and AS5300]

radiator.conf:

Host.westend.com
AuthDN  cn=XX,ou=XXX,dc=westend,dc=com
AuthPasswordXX
BaseDN  dc=westend,dc=com
HoldServerConnection

UsernameAttrRadiusUsername
PasswordAttrRadiusPassword

AuthAttrDef RadiusService-Type, Service-Type,   check

AuthAttrDef RadiusAscend-Client-Primary-DNS,Ascend-Client-Primary-DNS,reply
AuthAttrDef RadiusAscend-Client-Secondary-DNS,Ascend-Client-Secondary-DNS,re
ply
AuthAttrDef RadiusAscend-Idle-Limit,Ascend-Idle-Limit,  reply
AuthAttrDef Radiuscisco-avpair, cisco-avpair,   reply
...
   AuthAttrDef RadiusProfile,  Profile,reply

  PostAuthHook  file:"%D/hook.replaceProfiles"

-- 
Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0
[EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879
   WESTEND ist CISCO Systems Partner - Premium Certified

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP connection re-usage

2000-08-28 Thread Hugh Irvine



Hello Bruno -

You can add an Identifier to the AuthBy LDAP2 clause and then access 
it in the hook with something like this:

my $authby = Radius::AuthGeneric::find('your_identifier');

then you can use all the internal routines like this:

my $rc = $authby->.

hth

Hugh


At 15:56 +0100 28/8/00, Bruno Tiago Rodrigues wrote:
>hi there.
>
>we've been using Radiator for quite a while as a proxy, twiddling
>configurations and getting strange conclusions about smoothly migrating from
>Sun Radius to Radiator.
>we're currently lookingfor  the following behaviour:
>
>
>authentication packets : LDAP  (AuthbyLDAP2.pm) [checking username and
>password ONLY] and some trivial LDAP fields comparisons.
>
>accounting packets : a post_auth hook which basically does all the work
>comparing, tweaking and returning user attributes (usage time and all that
>stuff). post_auth hooks work fine for us, but since we're using LDAP, it
>would be theoretically better to keep an open connection to the LDAP server
>(the same connection used on AuthbyLDAP2.pm would just be perfect! ). The
>problem is... since the connection is part of a structure passed over and
>over, is there any way we can use it inside hooks ? (the same way as we use
>it on AuthbyLDAP2.pm, on the reconnect method, ie: reconnecting if the
>connection was lost or never made or returning the open socket if it
>exists). How can we reach that structure? Is it based on a global variable
>or something ?
>
>suppose we can't reuse the LDAP connection AuthbyLDAP2.pm uses. Can we use a
>startup hook to create a global LDAP connection so it can be used outside
>it, in all post_auth hooks we need to? We've been looking at the code
>examples and having some problems defining a global variable? Would someone
>be kind enough to show us a working example other than the /goodies one
>we've got?
>
>thanks in advance
>
>-Bruno Rodrigues
>
>
>
>===
>Archive at http://www.starport.net/~radiator/
>Announcements on [EMAIL PROTECTED]
>To unsubscribe, email '[EMAIL PROTECTED]' with
>'unsubscribe radiator' in the body of the message.

-- 
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP woes

2000-08-28 Thread Hugh Irvine



Hello Nguyen -

The latest version of Radiator is 2.16.3. I recommend that you 
download it and use that as there is much improved LDAP support.

regards

Hugh


At 9:38 -0600 26/8/00, Tu Nguyen wrote:
>On Sat, 26 Aug 2000, Hugh Irvine wrote:
>
>>
>>
>>  Hello Nguyen -
>>
>>  On Sat, 26 Aug 2000, Tu Nguyen wrote:
>>  > Hi All:
>>  >  Has anyone out there successful in using Radiator to authenticate
>>  > with LDAP? I can't seem to get radiator to send the password.
>>  > Below is the log when using radpwtst for user=joe with an incorrect
>>  > password. I always get "Access-Accept", even with a wrong password.
>>  > Sniffer trace shows no sign of the password either.
>>  > Can anyone advise me? Below are the logfile, console and my ldap.cfg.
>>  >
>>
>>  In normal operation, Radiator does not send the password to the LDAP server,
>>  rather it looks up the user and pulls the password back to check it itself.
>>  Your configuration file is looking for the contents of the LDAP attribute
>>  "passwd" to use as the password check, and I suspect that field 
>>does not exist.
>>
>>  What version of Radiator are you running?
>
>I am using  Radiator-2.9.
>
>>
>>  thanks
>>
>>  Hugh
>>  ..
>>  ..
>
>--
>Tu Nguyen   Information Technologies
>The University of Calgary   voice: (403)220-5155
>UCS, 2500 University DR NW, Calgary,AB  fax  : (403)282-9199
>Canada, T2N-1N4email:  [EMAIL PROTECTED]

-- 
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP woes

2000-08-26 Thread Tu Nguyen



On Sat, 26 Aug 2000, Hugh Irvine wrote:

> 
> 
> Hello Nguyen -
> 
> On Sat, 26 Aug 2000, Tu Nguyen wrote:
> > Hi All:
> >  Has anyone out there successful in using Radiator to authenticate
> > with LDAP? I can't seem to get radiator to send the password.
> > Below is the log when using radpwtst for user=joe with an incorrect
> > password. I always get "Access-Accept", even with a wrong password.
> > Sniffer trace shows no sign of the password either.
> > Can anyone advise me? Below are the logfile, console and my ldap.cfg.
> > 
> 
> In normal operation, Radiator does not send the password to the LDAP server,
> rather it looks up the user and pulls the password back to check it itself.
> Your configuration file is looking for the contents of the LDAP attribute
> "passwd" to use as the password check, and I suspect that field does not exist.
> 
> What version of Radiator are you running?

I am using  Radiator-2.9.

> 
> thanks
> 
> Hugh
> ..
> ..

--
Tu Nguyen   Information Technologies 
The University of Calgary   voice: (403)220-5155
UCS, 2500 University DR NW, Calgary,AB  fax  : (403)282-9199
Canada, T2N-1N4 email:  [EMAIL PROTECTED]


===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP woes

2000-08-25 Thread Hugh Irvine

Hello Nguyen -

On Sat, 26 Aug 2000, Tu Nguyen wrote:
> Hi All:
>  Has anyone out there successful in using Radiator to authenticate
> with LDAP? I can't seem to get radiator to send the password.
> Below is the log when using radpwtst for user=joe with an incorrect
> password. I always get "Access-Accept", even with a wrong password.
> Sniffer trace shows no sign of the password either.
> Can anyone advise me? Below are the logfile, console and my ldap.cfg.
> 

In normal operation, Radiator does not send the password to the LDAP server,
rather it looks up the user and pulls the password back to check it itself.
Your configuration file is looking for the contents of the LDAP attribute
"passwd" to use as the password check, and I suspect that field does not exist.

What version of Radiator are you running?

thanks

Hugh

>  my ldap.cfg
> 
> 
> Secret abcdbacdabcd
> DupInterval 0
> DefaultRealmldap
> 
> 
>   
> Hostxx.xx.xx.xx
> BaseDN  o=ucalgary.ca
> UsernameAttruid
> PasswordAttrpasswd
> 
> AcctLogFileName %D/detail
> RewriteUsername s/^([^@]+).*/$1/
>  
> 
> # end ldap
> 

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) LDAP: new "AuthAttrDef" attribute?

2000-05-02 Thread Felicetti, Stephen A.


Here's an example of what I do.
I want the ability to limit those individuals that are authenticated against
our
LDAP server. This allows us to maintain a list of users that are allowed to
dialin.

I arbitrarily choose the 'NAS-Port-Type' radius attribute that is sent to
Radiater 
from our NAS. It's value will be the same each timeASYNC.

I choose an unused attribute in the users LDAP entry, and changed it to
match the value
of 'NAS-Port-Type'. I do this with any user that wants to dial in.

My config file has the following line in it to handle the comparison:

AuthAttrDeftelephonenumber,NAS-Port-Type,check

Here's a snip of the log messages when a user authenticates:

Fri Apr 14 20:31:34 2000: DEBUG: Handling with Radius::AuthLDAP
Fri Apr 14 20:31:34 2000: DEBUG: Connecting to HOST, port 389
Fri Apr 14 20:31:35 2000: DEBUG: LDAP got result for
uid=username,ou=People,o=Fox Chase Cancer Center,c=US
Fri Apr 14 20:31:35 2000: DEBUG: LDAP got userpassword: {crypt}password
Fri Apr 14 20:31:35 2000: DEBUG: LDAP got telephonenumber: Async
Fri Apr 14 20:31:35 2000: DEBUG: Radius::AuthLDAP looks for match with
username
Fri Apr 14 20:31:35 2000: DEBUG: Radius::AuthLDAP ACCEPT: 
Fri Apr 14 20:31:35 2000: DEBUG: Access accepted for username

I suggest capturing (snif) the packets sent from your NAS to Radiater during
an authentication request.
This will allow you to note which radius attributes are being sent, and what
there values are.
Pick one that doesn't change, and use it.

I didn't have to make any changes to the dictionary file, and didn't have to
use any of the check or reply
items.

I'm not sure if this is what your attempting to achieve, but it works like a
charm for me and
was easy to implement.

Steve

-Original Message-
From: Dave Kitabjian [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 02, 2000 10:05 AM
To: '[EMAIL PROTECTED]'
Subject: (RADIATOR) LDAP: new "AuthAttrDef" attribute?


Regarding: http://www.open.com.au/radiator/ref.html#pgfId=369888

and the new AuthAttrDef attribute for LDAP...

This looks like a nice feature. However, to make AuthAttrDef entries as:

AuthAttrDef ldapattributename, radiusattributename, type

you would need to anticipate and list in your .cfg file every Reply item
(and Check item) that any of your users might need, right? That doesn't
seem to make sense. (Am I missing something?)

On the other hand, with CheckAttr and ReplyAttr you don't have to worry
about that; just list whatever you want in your LDAP db, and Radiator
will pick them up. But CheckAttr/ReplyAttr are being deprecated. So...

Can I accomplish the equivalent functionality by doing:

AuthAttrDef GENERIC, ???, check
AuthAttrDef GENERIC, ???, reply

What do I put for ??? Perhaps you could list an example using GENERIC in
the docs?

Thanks very much!

Dave

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP unbinding causes problems

2000-02-01 Thread Hugh Irvine

Hello Paul -

On Thu, 01 Jan 1970, Paul van der Zwan - Sun Professional Services wrote:
> I am helping a customer to get a Radiator 2.14.1 configuration to perform.
> They are using the AuthLDAP2 module to authenticate using a Netscape LDAP 
> server. Apparently the NS server drops the TCP session when Radiator unbinds.
> This slowed everything down so much I saw hundreds of UDP packets overflowing the 
>queue
> per minute.
> As a quick hack I replaced the AuthLDAP2.pm file with the one from 2.13.1, resulting
> in the disappearance of the overflows.
> This is not the kind of solution I would like them to use ;-)
> 
> Is there a permanent fix possible for this problem ??

We are currently working on the AuthLDAP2 module to give you more control
over how Radiator connects and binds to LDAP servers. We are introducing two
new parameters: HoldServerConnection and ServerChecksPassword. We would be very
interested in having someone test the new version. Will you volunteer?

thanks

Hugh

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP compare instead of LDAP search?

1999-12-01 Thread Hugh Irvine

Hello Karel -

On Wed, 01 Dec 1999, Velden, C.W.van der wrote:
> L.S.,
> 
> What is the reason Radiator uses LDAP search instead of LDAP compare to
> check whether an entry fullfills the requirements? I would prefer to use
> LDAP compare. Secondly what is the status regarding connecting to an LDAP
> server at present? According to me (using Netscape LDAP SDK) it connects
> once and reuses this connection, is this correct?
> 

The reason Radiator uses LDAP search is because the product was designed for
searching - look up a user record and return the relevant information for that
user - password, check attributes, reply attributes, etc. The same model is
used throughout, so there is consistency across AuthBy methods.

Sadly, there are already three different AuthBy LDAP clauses because of
differing implementations of the "standard" and more are seemingly required.
And as you can see from the above, even if Radiator used a compare, it would
still need to do a subsequent search for the attributes.

And yes, Radiator tries to open a long-lasting connection to the server in the
interests of economy, but again there are differences due to the peculiarities
of different LDAP implementations (some crash when a connection is re-used).

Of course if someone would like to build an all-singing, all-dancing, do
everything AuthBy for all versions of LDAP, we would be delighted to be the
recipients of a contribution.

:-)

regards

Hugh

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP Request

1999-10-31 Thread Mike McCauley


Hi Stephen,

The reason that LDAP does not do the same thing with extended attributesd is
more historical. If youy send us the code or a patch, we will certainly
consider rolling it into the code.

Thanks for telling us about this.

Cheers.


---
Mike McCauley [EMAIL PROTECTED]
Open System Consultants +61 3 9598 0985

Mike is travelling right now, and there may be delays
in our correspondence.
-Original Message-
From: Steven E. Ames <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>; Steven Ames <[EMAIL PROTECTED]>;
[EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Friday, October 29, 1999 10:40 AM
Subject: Re: (RADIATOR) LDAP Request


>Thanks for the quick reply Hugh. That works but (IMHO) it defeats the
>purpose of having a database if you have to put the complete attribute
>pair into it.
>
>I actually just spent an hour or so migrating some code from AuthSQL.pm
>to AuthLDAP.pm to do exactly what I want. Works great.
>
>Is there some reason not to handle LDAP in the same manner as SQL? It
>seems a bit cleaner. I'll send the new AuthLDAP.pm along to you shortly.
>Any chance of getting your (or someone...) to look it over and maybe
>make the changes a permanent feature of RADIATOR? I don't care if the
>tag names change as long as I can keep the functionality... Otherwise
>I'm looking at having to redo this everytime AuthLDAP.pm gets updated by
>you all.
>
>-Steve
>
>- Original Message -
>From: Hugh Irvine <[EMAIL PROTECTED]>
>To: Steven Ames <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
>Sent: Thursday, October 28, 1999 5:52 PM
>Subject: Re: (RADIATOR) LDAP Request
>
>
>>
>> Hello Steven -
>>
>> On Fri, 29 Oct 1999, Steven Ames wrote:
>> > Would it be possible to modify the AuthLDAP modules so that instead
>> > of (or in addition to to maintain backward compatibility) having
>> > a single attribute that holds all of the reply items we can instead
>> > set things up more like the SQL modules?
>> >
>> > What I mean is under SQL you can do things like:
>> >
>> > AuthColumnDef 2, Session-Timeout, reply
>> >
>> > saying that the column 2 attribute is a reply item and should be
>> > combined with 'Session-Timeout' to create 'Session-Timeout = X'.
>> >
>> > Under LDAP the same thing could apply:
>> >
>> > LDAPAttribute, netmask, Framed-IP-Netmask, reply
>> >
>> > stating that there is an LDAP attribute called 'netmask' which
>should
>> > be used as the value for the reply string 'Framed-IP-Netmask'.
>> >
>> > That'd make things so much cleaner in my LDAP databases ditto
>with
>> > check items :)
>> >
>>
>> You can already do this simply by putting multiple CheckAttr and
>ReplyAttr
>> lines in your configuration file. The only caveat is that each LDAP
>field must
>> contain the complete attribute=value pair.
>>
>> 
>> 
>> 
>> CheckAttr ServiceType # contains Service-Type = Framed-User
>> CheckAttr 
>> ReplyAttr ServiceType # contains Service-Type = Framed-User
>> ReplyAttr FramedIPAddress # Framed-IP-Address = x.x.x.x
>> ReplyAttr FramedIPNetmask # Framed-IP-Netmask = y.y.y.y
>> ReplyAttr 
>> 
>> 
>> 
>>
>> See Section 6.30.10 and 6.30.11 in the Radiator 2.14.1 reference
>manual.
>>
>> hth
>>
>> Hugh
>>
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
>> NT, Rhapsody
>>
>
>
>===
>Archive at http://www.thesite.com.au/~radiator/
>To unsubscribe, email '[EMAIL PROTECTED]' with
>'unsubscribe radiator' in the body of the message.
>


===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP Request

1999-10-31 Thread Mike McCauley


Yes, I think  this is a reasonable thing to do.
Look for it in a forthcoming release.

Cheers.


---
Mike McCauley [EMAIL PROTECTED]
Open System Consultants +61 3 9598 0985

Mike is travelling right now, and there may be delays
in our correspondence.
-Original Message-
From: Steven Ames <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Friday, October 29, 1999 5:40 AM
Subject: (RADIATOR) LDAP Request


>
>Would it be possible to modify the AuthLDAP modules so that instead
>of (or in addition to to maintain backward compatibility) having
>a single attribute that holds all of the reply items we can instead
>set things up more like the SQL modules?
>
>What I mean is under SQL you can do things like:
>
> AuthColumnDef 2, Session-Timeout, reply
>
>saying that the column 2 attribute is a reply item and should be
>combined with 'Session-Timeout' to create 'Session-Timeout = X'.
>
>Under LDAP the same thing could apply:
>
> LDAPAttribute, netmask, Framed-IP-Netmask, reply
>
>stating that there is an LDAP attribute called 'netmask' which should
>be used as the value for the reply string 'Framed-IP-Netmask'.
>
>That'd make things so much cleaner in my LDAP databases ditto with
>check items :)
>
>-Steve
>
>
>===
>Archive at http://www.thesite.com.au/~radiator/
>To unsubscribe, email '[EMAIL PROTECTED]' with
>'unsubscribe radiator' in the body of the message.
>


===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP Request

1999-10-28 Thread Steven E. Ames

Thanks for the quick reply Hugh. That works but (IMHO) it defeats the
purpose of having a database if you have to put the complete attribute
pair into it.

I actually just spent an hour or so migrating some code from AuthSQL.pm
to AuthLDAP.pm to do exactly what I want. Works great.

Is there some reason not to handle LDAP in the same manner as SQL? It
seems a bit cleaner. I'll send the new AuthLDAP.pm along to you shortly.
Any chance of getting your (or someone...) to look it over and maybe
make the changes a permanent feature of RADIATOR? I don't care if the
tag names change as long as I can keep the functionality... Otherwise
I'm looking at having to redo this everytime AuthLDAP.pm gets updated by
you all.

-Steve

- Original Message -
From: Hugh Irvine <[EMAIL PROTECTED]>
To: Steven Ames <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, October 28, 1999 5:52 PM
Subject: Re: (RADIATOR) LDAP Request

>
> Hello Steven -
>
> On Fri, 29 Oct 1999, Steven Ames wrote:
> > Would it be possible to modify the AuthLDAP modules so that instead
> > of (or in addition to to maintain backward compatibility) having
> > a single attribute that holds all of the reply items we can instead
> > set things up more like the SQL modules?
> >
> > What I mean is under SQL you can do things like:
> >
> > AuthColumnDef 2, Session-Timeout, reply
> >
> > saying that the column 2 attribute is a reply item and should be
> > combined with 'Session-Timeout' to create 'Session-Timeout = X'.
> >
> > Under LDAP the same thing could apply:
> >
> > LDAPAttribute, netmask, Framed-IP-Netmask, reply
> >
> > stating that there is an LDAP attribute called 'netmask' which
should
> > be used as the value for the reply string 'Framed-IP-Netmask'.
> >
> > That'd make things so much cleaner in my LDAP databases ditto
with
> > check items :)
> >
>
> You can already do this simply by putting multiple CheckAttr and
ReplyAttr
> lines in your configuration file. The only caveat is that each LDAP
field must
> contain the complete attribute=value pair.
>
> 
> 
> 
> CheckAttr ServiceType # contains Service-Type = Framed-User
> CheckAttr 
> ReplyAttr ServiceType # contains Service-Type = Framed-User
> ReplyAttr FramedIPAddress # Framed-IP-Address = x.x.x.x
> ReplyAttr FramedIPNetmask # Framed-IP-Netmask = y.y.y.y
> ReplyAttr 
> 
> 
> 
>
> See Section 6.30.10 and 6.30.11 in the Radiator 2.14.1 reference
manual.
>
> hth
>
> Hugh
>
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
> NT, Rhapsody
>

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP Request

1999-10-28 Thread Hugh Irvine



Hello Steven -

On Fri, 29 Oct 1999, Steven Ames wrote:
> Would it be possible to modify the AuthLDAP modules so that instead
> of (or in addition to to maintain backward compatibility) having
> a single attribute that holds all of the reply items we can instead
> set things up more like the SQL modules?
> 
> What I mean is under SQL you can do things like:
> 
>   AuthColumnDef 2, Session-Timeout, reply
> 
> saying that the column 2 attribute is a reply item and should be
> combined with 'Session-Timeout' to create 'Session-Timeout = X'.
> 
> Under LDAP the same thing could apply:
> 
>   LDAPAttribute,  netmask, Framed-IP-Netmask, reply
> 
> stating that there is an LDAP attribute called 'netmask' which should
> be used as the value for the reply string 'Framed-IP-Netmask'.
> 
> That'd make things so much cleaner in my LDAP databases ditto with
> check items :)
> 

You can already do this simply by putting multiple CheckAttr and ReplyAttr
lines in your configuration file. The only caveat is that each LDAP field must
contain the complete attribute=value pair.




CheckAttr ServiceType   # contains Service-Type = Framed-User
CheckAttr 
ReplyAttr ServiceType   # contains Service-Type = Framed-User
ReplyAttr FramedIPAddress   # Framed-IP-Address = x.x.x.x
ReplyAttr FramedIPNetmask   # Framed-IP-Netmask = y.y.y.y
ReplyAttr 




See Section 6.30.10 and 6.30.11 in the Radiator 2.14.1 reference manual.

hth

Hugh


--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP funktion and Netscape LDAP server

1999-06-10 Thread Mike McCauley


Hello Lasse,

On Jun 10, 10:50am, Lasse L. Johnsen wrote:
> Subject: (RADIATOR) LDAP funktion and Netscape LDAP server
> Hello,
>
> This email is regarding a possible problem in the Radiator Radius server
> when it is working with Netscapes LDAP server.
>
>
> Here is a radius log dump:
> 
> _
>
> Thu Jun 10 08:01:12 1999: DEBUG: Packet dump:
> *** Received from 194.177.224.55 port 3775 
> Code: Access-Request
> Identifier: 125
> Authentic: _<164>U7m""<14>X"<165><230>iQ<251><206>
> Attributes:
> Service-Type = Login-User
> User-Name = "jfs"
> User-Password =
> "<155><227><240><198><155>.?<24><164><154><189><1><19><2
> 15><148><148>"
> NAS-IP-Address = 194.177.224.55
> NAS-Port = 0
> Thu Jun 10 08:01:12 1999: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu Jun 10 08:01:12 1999: DEBUG: Handling with Radius::AuthLDAP
> Thu Jun 10 08:01:12 1999: DEBUG: Connecting to tgserv.tele.gl, port 389
> Thu Jun 10 08:01:12 1999: DEBUG: LDAP got result for uid=jfs,o=greennet.gl
> Thu Jun 10 08:01:12 1999: DEBUG: LDAP got userpassword: {crypt}45wDd3av8.pmCk
> Thu Jun 10 08:01:12 1999: DEBUG: Radius::AuthLDAP looks for match with jfs
> Thu Jun 10 08:01:12 1999: DEBUG: Radius::AuthLDAP REJECT: Bad
> Encrypted-Password
> Thu Jun 10 08:01:13 1999: DEBUG: No entries for DEFAULT found in LDAP
> database
> Thu Jun 10 08:01:13 1999: INFO: Access rejected for jfs: Bad
> Encrypted-Password
> Thu Jun 10 08:01:13 1999: DEBUG: Packet dump:
> *** Sending to 194.177.224.55 port 3775 
> Code: Access-Reject
> Identifier: 125
> Authentic: _<164>U7m""<14>X"<165><230>iQ<251><206>
> Attributes:
> Reply-Message = "Request Denied"
>
> 
> __
>
> And here's from the LDAP server:
>
> [10/Jun/1999:09:12:03 -0200] conn=49 fd=25 slot=25 connection from
> 194.177.224.5
> [10/Jun/1999:09:12:03 -0200] conn=49 op=0 BIND dn="cn=Administrator"
> method=
> 128 version=2
> [10/Jun/1999:09:12:03 -0200] conn=49 op=0 RESULT err=0 tag=97 nentries=0
> [10/Jun/1999:09:12:03 -0200] conn=49 op=1 SRCH base="o=greennet.gl" scope=2
> filt
> er="(uid=jfs)"
> [10/Jun/1999:09:12:03 -0200] conn=49 op=1 RESULT err=0 tag=101 nentries=1
> [10/Jun/1999:09:12:03 -0200] conn=49 op=2 SRCH base="o=greennet.gl" scope=2
> filt
> er="(uid=DEFAULT)"
> [10/Jun/1999:09:12:03 -0200] conn=49 op=2 RESULT err=0 tag=101 nentries=0
>
> 
> ___
>
> First of all - Why is the radius server looking for a default user in the
> LDAP server?
Looks like you must have specified the password attribute using
EncryptedPasswordAttr. This means that expects it to be a bare crypt password,
which is clearly not whats in the datasbe.

You want to use PasswordAttr instead, whcih knows how to interpret multiple
password formats, including ones with a leading {crypt}


>
> Second of all -  {crypt}45wDd3av8.pmCk is from the LDAP server - the
> {crypt} shoulden't be used in the compairisment - yet I think it is.(?)
>
> So is this the reason for the authtification going wrong?
Yes.

>
> Thank you for taking the time to read my mail.
Thanks for giving us enough detail to diagnose the problem.
Hope that helps.

Cheers.

>
> Best Regards
> Lasse L. Johnsen /System Administrator /TELE Greenland Internet
>
> ===
> Archive at http://www.thesite.com.au/~radiator/
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>-- End of excerpt from Lasse L. Johnsen



-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, 
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) LDAP funktion and Netscape LDAP server

1999-06-10 Thread Ingvar Berg (ERA)


Are you really using (crypt) with Netscape Directory server? Because if you
use SHA, you don't need to use Encrypted-password as Radiator understands
the {SHA} signature (once you've installed SHA support in Perl :-). Well,
maybe it is the same with {crypt}, just use PasswortAttr and let Radiator
look for the tag.

/Ingvar
Ericsson Radio Systems AB
Center for Wireless Internet Integration 
P.O. Box 1885, Teknikringen 8, S-581 17  Linköping, Sweden
Phone +46 13 32 22 87
Mobile +46 70 321 3395
Fax +46 70 617 3395
mailto: [EMAIL PROTECTED]


> -Original Message-
> From: Lasse L. Johnsen [mailto:[EMAIL PROTECTED]]
> Sent: den 10 juni 1999 15:50
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) LDAP funktion and Netscape LDAP server
> 
> 
> Hello,
> 
> This email is regarding a possible problem in the Radiator 
> Radius server
> when it is working with Netscapes LDAP server.
> 
> 
> Here is a radius log dump:
> __
> __
> _
> 
> Thu Jun 10 08:01:12 1999: DEBUG: Packet dump: 
> *** Received from 194.177.224.55 port 3775  
> Code: Access-Request 
> Identifier: 125 
> Authentic: _<164>U7m""<14>X"<165><230>iQ<251><206> 
> Attributes: 
> Service-Type = Login-User 
> User-Name = "jfs" 
> User-Password = 
> "<155><227><240><198><155>.?<24><164><154><189><1><19><2 
> 15><148><148>" 
> NAS-IP-Address = 194.177.224.55 
> NAS-Port = 0
> Thu Jun 10 08:01:12 1999: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT' 
> Thu Jun 10 08:01:12 1999: DEBUG: Handling with Radius::AuthLDAP 
> Thu Jun 10 08:01:12 1999: DEBUG: Connecting to 
> tgserv.tele.gl, port 389 
> Thu Jun 10 08:01:12 1999: DEBUG: LDAP got result for 
> uid=jfs,o=greennet.gl 
> Thu Jun 10 08:01:12 1999: DEBUG: LDAP got userpassword: 
>45wDd3av8.pmCk 
> Thu Jun 10 08:01:12 1999: DEBUG: Radius::AuthLDAP looks for 
> match with jfs 
> Thu Jun 10 08:01:12 1999: DEBUG: Radius::AuthLDAP REJECT: Bad 
> Encrypted-Password 
> Thu Jun 10 08:01:13 1999: DEBUG: No entries for DEFAULT found in LDAP 
> database 
> Thu Jun 10 08:01:13 1999: INFO: Access rejected for jfs: Bad 
> Encrypted-Password 
> Thu Jun 10 08:01:13 1999: DEBUG: Packet dump: 
> *** Sending to 194.177.224.55 port 3775  
> Code: Access-Reject 
> Identifier: 125 
> Authentic: _<164>U7m""<14>X"<165><230>iQ<251><206> 
> Attributes: 
> Reply-Message = "Request Denied"
> 
> __
> __
> __
> 
> And here's from the LDAP server:
> 
> [10/Jun/1999:09:12:03 -0200] conn=49 fd=25 slot=25 connection from 
> 194.177.224.5 
> [10/Jun/1999:09:12:03 -0200] conn=49 op=0 BIND dn="cn=Administrator" 
> method= 
> 128 version=2 
> [10/Jun/1999:09:12:03 -0200] conn=49 op=0 RESULT err=0 tag=97 
> nentries=0 
> [10/Jun/1999:09:12:03 -0200] conn=49 op=1 SRCH 
> base="o=greennet.gl" scope=2 
> filt 
> er="(uid=jfs)" 
> [10/Jun/1999:09:12:03 -0200] conn=49 op=1 RESULT err=0 
> tag=101 nentries=1 
> [10/Jun/1999:09:12:03 -0200] conn=49 op=2 SRCH 
> base="o=greennet.gl" scope=2 
> filt 
> er="(uid=DEFAULT)" 
> [10/Jun/1999:09:12:03 -0200] conn=49 op=2 RESULT err=0 
> tag=101 nentries=0
> 
> __
> __
> ___
> 
> First of all - Why is the radius server looking for a default 
> user in the
> LDAP server?
> 
> Second of all -  {crypt}45wDd3av8.pmCk is from the LDAP server - the
> {crypt} shoulden't be used in the compairisment - yet I think 
> it is.(?)
> 
> So is this the reason for the authtification going wrong?
> 
> Thank you for taking the time to read my mail.
> 
> Best Regards
> Lasse L. Johnsen /System Administrator /TELE Greenland Internet
> 
> ===
> Archive at http://www.thesite.com.au/~radiator/
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
> 

ÿ
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) LDAP Attributes

1999-06-03 Thread Ingvar Berg (ERA)


Have you tried with some invalid attribute values for those users? Like Service-Typ 
"Mail" or an IP address that just sends them to the bit bucket?
 
mvh,
Ingvar

-Original Message-
From: Martin Oelgemoeller [mailto:[EMAIL PROTECTED]]
Sent: den 3 juni 1999 11:32
To: [EMAIL PROTECTED]
Subject: (RADIATOR) LDAP Attributes


We are using Radiator to ask our LDAP-Server to access Customers to our 
Dial-In-Service.
That works fine.
Now we want to ask other Atributes, like one which says, that this user is a 
mail-only-user
and has no dial-in service available.
The Doc and FAQ tells about CheckAttr and ReplyAttr, but the examples are not as exact 
as i want them to be. Has anyone a running config which solves my problem or any hints
about asking Attribues from the LDAP Server ?
 
We are running the lastes Radiator Version 2.13.1 incl. patches on Solaris 2.6 and 
Netscape 
Directory Server on the same machine.
 
Thanks.
 

mfg
Martin Oelgemoeller
--
Martin Oelgemoeller   uni-X Software GmbH
Tel: 49-541-71008-0   Mindener Strasse 127
Fax: 49-541-7100899   D-49084 Osnabrueck
mailto:[EMAIL PROTECTED] http://www.uni-x. 
 net   


===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP Attributes

1999-06-03 Thread Mike McCauley

Hi Martin.

This is pretty well what you have to do to define some check items in LDAP:

1. invent a new LDAP attribute to hold check items. Lets call it "checkitems".
2. In your AuthBy LDAP, add this:
CheckAttr   checkitems
which tells LDAP to get check items from an L:DAP attribute called checkitems.
3. For users that need check items, add them to the checkitems attribute in
LDAP like this: Imagine that you want to limit a user to email only, and that
email authentication has a distinctive Service-Type, set the checkitems LDAP
attribute for that user to be:
Service-Type=Authenticate-Only

You can add more check items for the same user by comma-separation:
NAS-IP-Address=1.2.3.4,Service-Type=Authenticate-Only

Hope that helps.

Cheers.

On Jun 3, 11:31am, Martin Oelgemoeller wrote:
> Subject: (RADIATOR) LDAP Attributes
>
> We are using Radiator to ask our LDAP-Server to access Customers to our
Dial-In-Service.
> That works fine.
> Now we want to ask other Atributes, like one which says, that this user is a
mail-only-user
> and has no dial-in service available.
> The Doc and FAQ tells about CheckAttr and ReplyAttr, but the examples are not
as exact
> as i want them to be. Has anyone a running config which solves my problem or
any hints
> about asking Attribues from the LDAP Server ?
>
> We are running the lastes Radiator Version 2.13.1 incl. patches on Solaris
2.6 and Netscape
> Directory Server on the same machine.
>
> Thanks.
> mfg
> Martin Oelgemoeller
> --
> Martin Oelgemoeller   uni-X Software GmbH
> Tel: 49-541-71008-0   Mindener Strasse 127
> Fax: 49-541-7100899   D-49084 Osnabrueck
> mailto:[EMAIL PROTECTED]   http://www.uni-x.net
>
>
> [ Attachment (text/x-html): 2330 bytes
>   Character set: us-ascii ]
>-- End of excerpt from Martin Oelgemoeller

-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, 
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP and SHA'd password

1999-03-31 Thread Mike McCauley

Hi Ingvar,

On Mar 31,  5:25pm, Ingvar Berg (ERA) wrote:
> Subject: (RADIATOR) LDAP and SHA'd password
>
> Hi,
>
> I just moved from testing with flat user file to LDAP with SHA-1 hashed
> passwords. And gets stuck without a clue...
Do you mean that Radiator hangs after this, and does not accept any more
request, or do you mean that Radiator is rejecting the password, when it is
correct?

If its the latter, it might be because of this in your config file:

Authpassword password
should be
AuthPassword password

Its case sensitive. You should have got an error message about it when Radiator
starts up?

Hope that helps.

Cheers.

> Can anyone see the reason for not accepting the password?

>
> /Ingvar
>
>
> [ Attachment (application/octet-stream): "radius.cfg" 438 bytes
>   Encoded with "quoted-printable" ]
>
> [ Attachment (application/octet-stream): "logfile" 1330 bytes
>   Encoded with "quoted-printable" ]
>-- End of excerpt from Ingvar Berg (ERA)

-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, external, etc etc on Unix, Win95/8, NT, Rhapsody
===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP and SHA'd password

1999-03-31 Thread Ferhat Dilman


I would check the Directory Manager password and EncryptedPassword fields.
And the BaseDN.

Are you sure you have to use Directory Manager account? I don't remember but
I guess I had used admin username . My memory gone away.

Regards,

Ferhat

-Original Message-
From: Ingvar Berg (ERA) <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: 01 Nisan 1999 Perşembe 02:22
Subject: (RADIATOR) LDAP and SHA'd password


>Hi,
>
>I just moved from testing with flat user file to LDAP with SHA-1 hashed
>passwords. And gets stuck without a clue...
>Can anyone see the reason for not accepting the password?
>
>/Ingvar
>
>


===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP Request

1999-01-02 Thread Hugh Irvine



Hello Joost -

On Fri, 05 Nov 1999, Joost Stegeman wrote:
> Hugh,
> 
> I'm not sure your suggestion to define multiple CheckAttr and ReplyAttr fields
> in the LDAP config works in Radiator 2.14.1. It doesn't work in 2.11 for sure.
> Maybe you mean that multiple atribute values in the LDAP directory are
> concatenated with commas?
> 
> from AuthLDAP.pm, line 274:
> 
> elsif ($attr eq lc $self->{CheckAttr})
> {
> # This is the attribute with check items in it
> $user->get_check->parse(join ',', @vals);
> }
> elsif ($attr eq lc $self->{ReplyAttr})
> {
> # This is the attribute with reply items in it
> $user->get_reply->parse(join ',', @vals);
> }
> 
> Here I see the $attr's from the LDAP query being checked against a single value
>  in the configuration tree. This, and my tests with 2.11 lead me to believe
> your suggestion is not correct. I really like the idea from Steven Ames, who
> build som patches which make the configuration much alike the SQL
> configuration.
> 

Yes, so does Mike - he is rolling it into the next release.

> Any other thoughts, I am wrong?

No - *you* aren't wrong - I am! That's what I get for reading the manual and
not the source!! No, I read the manual entry to mean what I thought it meant,
not what it really meant.

** SIGH **

thanks Joost!!

Hugh


--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP Request

1999-01-02 Thread Mike McCauley


Hi Joost,

we have rolled in the changes sent by Steven (with some minor mods), and I have
attached the new AuthLDAP.pm that will be in the next release.

You can use it to specify any number of LDAP attributes and how they map into
check and reply items:

AuthAttrDef ldapattribute,Radius-Attribute,type

eg:
AuthAttrDef servicetype,Service-Type,check
AuthAttrDef address,Framed-IP-Address,reply


Please let us know how it goes.
Thanks to Steven Ames for contributing the code.

Cheers.

On Nov 4,  4:29pm, Joost Stegeman wrote:
> Subject: Re: (RADIATOR) LDAP Request
> Hugh,
>
> I'm not sure your suggestion to define multiple CheckAttr and ReplyAttr
fields
> in the LDAP config works in Radiator 2.14.1. It doesn't work in 2.11 for
sure.
> Maybe you mean that multiple atribute values in the LDAP directory are
> concatenated with commas?
>
> from AuthLDAP.pm, line 274:
>
> elsif ($attr eq lc $self->{CheckAttr})
> {
> # This is the attribute with check items in it
> $user->get_check->parse(join ',', @vals);
> }
> elsif ($attr eq lc $self->{ReplyAttr})
> {
> # This is the attribute with reply items in it
> $user->get_reply->parse(join ',', @vals);
> }
>
> Here I see the $attr's from the LDAP query being checked against a single
value
>  in the configuration tree. This, and my tests with 2.11 lead me to believe
> your suggestion is not correct. I really like the idea from Steven Ames, who
> build som patches which make the configuration much alike the SQL
> configuration.
>
> Any other thoughts, I am wrong?
>
> - Joost.
>
> >
> > Hello Steven -
> >
> > On Fri, 29 Oct 1999, Steven Ames wrote:
> > > Would it be possible to modify the AuthLDAP modules so that instead
> > > of (or in addition to to maintain backward compatibility) having
> > > a single attribute that holds all of the reply items we can instead
> > > set things up more like the SQL modules?
> > >
> > > What I mean is under SQL you can do things like:
> > >
> > >  AuthColumnDef 2, Session-Timeout, reply
> > >
> > > saying that the column 2 attribute is a reply item and should be
> > > combined with 'Session-Timeout' to create 'Session-Timeout = X'.
> > >
> > > Under LDAP the same thing could apply:
> > >
> > >  LDAPAttribute, netmask, Framed-IP-Netmask, reply
> > >
> > > stating that there is an LDAP attribute called 'netmask' which should
> > > be used as the value for the reply string 'Framed-IP-Netmask'.
> > >
> > > That'd make things so much cleaner in my LDAP databases ditto with
> > > check items :)
> > >
> >
> > You can already do this simply by putting multiple CheckAttr and ReplyAttr
> > lines in your configuration file. The only caveat is that each LDAP field
> > must contain the complete attribute=value pair.
> >
> > 
> >  
> >   
> >   CheckAttr ServiceType # contains Service-Type = Framed-User
> >   CheckAttr 
> >   ReplyAttr ServiceType # contains Service-Type = Framed-User
> >   ReplyAttr FramedIPAddress # Framed-IP-Address = x.x.x.x
> >   ReplyAttr FramedIPNetmask # Framed-IP-Netmask = y.y.y.y
> >   ReplyAttr 
> >   
> >  
> > 
> >
> > See Section 6.30.10 and 6.30.11 in the Radiator 2.14.1 reference manual.
> >
> > hth
> >
> > Hugh
> >
>
> ===
> Archive at http://www.thesite.com.au/~radiator/
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>-- End of excerpt from Joost Stegeman



-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, 
NT, Rhapsody

 AuthLDAP.pm

Re: (RADIATOR) LDAP Request

1999-01-02 Thread Steven E. Ames


Joel,

The changes to make it LDAP more like SQL were added to the base system.
I don't think there was a patch released? But they will be there in
future releases.

-Steve

- Original Message -
From: Joost Stegeman <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 04, 1999 10:29 AM
Subject: Re: (RADIATOR) LDAP Request


> Hugh,
>
> I'm not sure your suggestion to define multiple CheckAttr and
ReplyAttr fields
> in the LDAP config works in Radiator 2.14.1. It doesn't work in 2.11
for sure.
> Maybe you mean that multiple atribute values in the LDAP directory are
> concatenated with commas?
>
> from AuthLDAP.pm, line 274:
>
> elsif ($attr eq lc $self->{CheckAttr})
> {
> # This is the attribute with check items in it
> $user->get_check->parse(join ',', @vals);
> }
> elsif ($attr eq lc $self->{ReplyAttr})
> {
> # This is the attribute with reply items in it
> $user->get_reply->parse(join ',', @vals);
> }
>
> Here I see the $attr's from the LDAP query being checked against a
single value
>  in the configuration tree. This, and my tests with 2.11 lead me to
believe
> your suggestion is not correct. I really like the idea from Steven
Ames, who
> build som patches which make the configuration much alike the SQL
> configuration.
>
> Any other thoughts, I am wrong?
>
> - Joost.
>
> >
> > Hello Steven -
> >
> > On Fri, 29 Oct 1999, Steven Ames wrote:
> > > Would it be possible to modify the AuthLDAP modules so that
instead
> > > of (or in addition to to maintain backward compatibility) having
> > > a single attribute that holds all of the reply items we can
instead
> > > set things up more like the SQL modules?
> > >
> > > What I mean is under SQL you can do things like:
> > >
> > >  AuthColumnDef 2, Session-Timeout, reply
> > >
> > > saying that the column 2 attribute is a reply item and should be
> > > combined with 'Session-Timeout' to create 'Session-Timeout = X'.
> > >
> > > Under LDAP the same thing could apply:
> > >
> > >  LDAPAttribute, netmask, Framed-IP-Netmask, reply
> > >
> > > stating that there is an LDAP attribute called 'netmask' which
should
> > > be used as the value for the reply string 'Framed-IP-Netmask'.
> > >
> > > That'd make things so much cleaner in my LDAP databases ditto
with
> > > check items :)
> > >
> >
> > You can already do this simply by putting multiple CheckAttr and
ReplyAttr
> > lines in your configuration file. The only caveat is that each LDAP
field
> > must contain the complete attribute=value pair.
> >
> > 
> >  
> >   
> >   CheckAttr ServiceType # contains Service-Type =
Framed-User
> >   CheckAttr 
> >   ReplyAttr ServiceType # contains Service-Type =
Framed-User
> >   ReplyAttr FramedIPAddress # Framed-IP-Address =
x.x.x.x
> >   ReplyAttr FramedIPNetmask # Framed-IP-Netmask =
y.y.y.y
> >   ReplyAttr 
> >   
> >  
> > 
> >
> > See Section 6.30.10 and 6.30.11 in the Radiator 2.14.1 reference
manual.
> >
> > hth
> >
> > Hugh
> >
>
> ===
> Archive at http://www.thesite.com.au/~radiator/
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>


===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) LDAP Request

1999-01-02 Thread Joost Stegeman


Hugh,

I'm not sure your suggestion to define multiple CheckAttr and ReplyAttr fields
in the LDAP config works in Radiator 2.14.1. It doesn't work in 2.11 for sure.
Maybe you mean that multiple atribute values in the LDAP directory are
concatenated with commas?

from AuthLDAP.pm, line 274:

elsif ($attr eq lc $self->{CheckAttr})
{
# This is the attribute with check items in it
$user->get_check->parse(join ',', @vals);
}
elsif ($attr eq lc $self->{ReplyAttr})
{
# This is the attribute with reply items in it
$user->get_reply->parse(join ',', @vals);
}

Here I see the $attr's from the LDAP query being checked against a single value
 in the configuration tree. This, and my tests with 2.11 lead me to believe
your suggestion is not correct. I really like the idea from Steven Ames, who
build som patches which make the configuration much alike the SQL
configuration.

Any other thoughts, I am wrong?

- Joost.

> 
> Hello Steven -
> 
> On Fri, 29 Oct 1999, Steven Ames wrote:
> > Would it be possible to modify the AuthLDAP modules so that instead
> > of (or in addition to to maintain backward compatibility) having
> > a single attribute that holds all of the reply items we can instead
> > set things up more like the SQL modules?
> > 
> > What I mean is under SQL you can do things like:
> > 
> >  AuthColumnDef 2, Session-Timeout, reply
> > 
> > saying that the column 2 attribute is a reply item and should be
> > combined with 'Session-Timeout' to create 'Session-Timeout = X'.
> > 
> > Under LDAP the same thing could apply:
> > 
> >  LDAPAttribute, netmask, Framed-IP-Netmask, reply
> > 
> > stating that there is an LDAP attribute called 'netmask' which should
> > be used as the value for the reply string 'Framed-IP-Netmask'.
> > 
> > That'd make things so much cleaner in my LDAP databases ditto with
> > check items :)
> > 
> 
> You can already do this simply by putting multiple CheckAttr and ReplyAttr
> lines in your configuration file. The only caveat is that each LDAP field
> must contain the complete attribute=value pair.
> 
> 
>  
>   
>   CheckAttr ServiceType # contains Service-Type = Framed-User
>   CheckAttr 
>   ReplyAttr ServiceType # contains Service-Type = Framed-User
>   ReplyAttr FramedIPAddress # Framed-IP-Address = x.x.x.x
>   ReplyAttr FramedIPNetmask # Framed-IP-Netmask = y.y.y.y
>   ReplyAttr 
>   
>  
> 
> 
> See Section 6.30.10 and 6.30.11 in the Radiator 2.14.1 reference manual.
> 
> hth
> 
> Hugh
>

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

69 matches

Mail list logo