RE: LDAP authentication using Radius

["JET JETASIK" <jet@transniaga.co.th>]

Aaron Richton wrote:
> On Wed, 15 Aug 2012, JET JETASIK wrote:
> 
> > Still got any luck yet.
> > Nothing hit my radius server when doing simple auth to openldap.
> > Any clue on how to check this.
> >
> > Here is my /etc/radius.conf
> > auth 192.168.0.10:1812 secret
> 
> There aren't that many moving parts...
> 
> * Maybe try explicitly configuring timeout and numtries (fields 4 and 5)
... my
> radius.conf has them, the man page implies defaults but who knows.
> 

Also tried with no luck.

> * Quick check might be to do a truss/strace/etc. on the open() family to
see if
> anything .*radius.* is being read, perhaps not in the path you were
> expecting. (You should see this once per bind.)

Frankly speaking I am not working as programmer/developer, I merely catch it
up a bit.
>From truss during simple bind, I can see it read the radius.conf and
sendto() my radius server, also got recvfrom() it, but nothing hit my radius
server actually.
Below is output of truss -p <slapd_pid>

exit(0x11)                                       = 454 (0x1c6)
accept(7,{ AF_INET 172.16.16.97:49479 },0x7ffffebfbc2c) = 9 (0x9)
write(5,"0",1)                                   = 1 (0x1)
clock_gettime(13,{1345088224.000000000 })        = 0 (0x0)
select(17,{4 6 7},0x0,0x0,0x0)                   = 1 (0x1)
read(4,"0",1024)                                 = 1 (0x1)
setsockopt(0x9,0x6,0x1,0x7ffffebfbc28,0x4,0x0)   = 0 (0x0)
getpid()                                         = 4200 (0x1068)
clock_gettime(13,{1345088224.000000000 })        = 0 (0x0)
sigprocmask(SIG_BLOCK,0x0,0x0)                   = 0 (0x0)
open("/etc/hosts.allow",O_RDONLY,0666)           = 18 (0x12)
fstat(18,{ mode=-rw-r--r-- ,inode=1278751,size=3353,blksize=32768 }) = 0
(0x0)
read(18,"#\n# hosts.allow access control "...,32768) = 3353 (0xd19)
close(18)                                        = 0 (0x0)
sigprocmask(SIG_SETMASK,0x0,0x0)                 = 0 (0x0)
clock_gettime(13,{1345088224.000000000 })        = 0 (0x0)
fcntl(9,F_GETFL,)                                = 6 (0x6)
fcntl(9,F_SETFL,O_NONBLOCK|0x2)                  = 0 (0x0)
write(5,"0",1)                                   = 1 (0x1)
read(4,"0",1024)                                 = 1 (0x1)
clock_gettime(13,{1345088224.000000000 })        = 0 (0x0)
select(17,{4 6 7 9},0x0,0x0,0x0)                 = 1 (0x1)
-- UNKNOWN SYSCALL 8769568 --
getpid()                                         = 4200 (0x1068)
sendto(3,"<167>Aug 16 10:37:04 slapd[4200]"...,99,0x0,NULL,0x0) = 3 (0x3)
compat.creat(0x9,0x81846006f,0x8,0x0,0x50,0x0)   = 99 (0x63)
clock_gettime(13,{1345088224.000000000 })        = 0 (0x0)
fchdir(0x7fffff3fcb50,0x18726,0x441050,0x0,0x0,0x502c6ae0) = 3 (0x3)
fchflags(0x9,0x817c6056f,0x8,0x0,0x50,0x7fffff3fc93f) = 4 (0x4)
exit(0x5)                                        = 1 (0x1)
exit(0x4)                                        = 232 (0xe8)
getpid()                                         = 232 (0xe8)
sendto(3,"<167>Aug 16 10:37:04 slapd[4200]"...,110,0x0,NULL,0x0) = 93 (0x5d)
open("/dev/random",O_RDONLY,00)                  = 18 (0x12)
read(18,"\M-I\M^^o\^_\M^C*\M-2\\\M-x\M-Q"...,124) = 124 (0x7c)
close(18)                                        = 0 (0x0)
open("/etc/radius.conf",O_RDONLY,0666)           = 18 (0x12)
fstat(18,{ mode=-rw-r--r-- ,inode=1278806,size=28,blksize=32768 }) = 0 (0x0)
read(18,"auth 10.10.10.9:1812 secret\n",32768)   = 28 (0x1c)
read(18,0x817c6a000,32768)                       = 0 (0x0)
close(18)                                        = 0 (0x0)
socket(PF_INET,SOCK_DGRAM,17)                    = 18 (0x12)
bind(18,{ AF_INET 0.0.0.0:0 },16)                = 0 (0x0)
sendto(18,"\^A\M-y\08\M^T\M^V\M-K\M-~\a\M-*"...,56,0x0,{ AF_INET
10.10.10.9:1812 },0x10) = 56 (0x38)
gettimeofday({1345088224.408943 },0x0)           = 0 (0x0)
select(19,{18},0x0,0x0,{3.000000 })              = 1 (0x1)
recvfrom(18,"\^C\M-y\0\^T\M-FB\M-N\M-"\\\M^_"...,4096,0x40,{ AF_INET
10.10.10.9:1812 },0x7fffff3fb62c) = 20 (0x14)
close(18)                                        = 0 (0x0)
write(9,"0\f\^B\^A\^Aa\a\n\^A1\^D\0\^D\0",14)    = 14 (0xe)
clock_gettime(13,{1345088224.000000000 })        = 0 (0x0)
getpid()                                         = 4200 (0x1068)
sendto(3,"<167>Aug 16 10:37:04 slapd[4200]"...,75,0x0,NULL,0x0) = 75 (0x4b)
exit(0x11)                                       = 454 (0x1c6)
clock_gettime(13,{1345088224.000000000 })        = 0 (0x0)
clock_gettime(13,{1345088224.000000000 })        = 0 (0x0)
read(9,0x817c6056f,8)                            = 0 (0x0)
select(17,{4 6 7},0x0,0x0,0x0)                   = 1 (0x1)
read(4,"0",1024)                                 = 1 (0x1)
clock_gettime(13,{1345088224.000000000 })        = 0 (0x0)
shutdown(9,SHUT_RDWR)                            = 0 (0x0)
close(9)                                         = 0 (0x0)
clock_gettime(13,{1345088224.000000000 })        = 0 (0x0)
getpid()                                         = 4200 (0x1068)
sendto(3,"<167>Aug 16 10:37:04 slapd[4200]"...,73,0x0,NULL,0x0) = 73 (0x49)


> * Turn up slapd debugging, make sure you're getting to the bind in the
first
> place in terms of ACLs, etc.
> 
> * Attach a debugger, break on chk_radius. It's not that complex a
function...
> 
Here is slapd log.
Aug 16 10:37:04 freebsd slapd[4200]: conn=1004 fd=9 ACCEPT from
IP=172.16.16.97:49479 (IP=0.0.0.0:389)
Aug 16 10:37:04 freebsd slapd[4200]: conn=1004 op=0 BIND
dn="cn=xxx,ou=xxx,dc=xxx,dc=xx,dc=xx" method=128
Aug 16 10:37:04 freebsd slapd[4200]: conn=1004 op=0 RESULT tag=97 err=49
text=
Aug 16 10:37:04 freebsd slapd[4200]: conn=1004 fd=9 closed (connection lost)

---
JET JETASIK