Re: [RADIATOR] UNS: Re: Issue with LDAP and SASL authentication

Wed, 08 Apr 2026 18:45:56 -0700 


Hello Dubravko -
It must be your Host declaration that is causing the problem - I haven't seen this before "ldapi:///" 

Have you tried with just the IP address?

Otherwise you could try escaping the special characters:

    Host ldapi\:\/\/\/

You could also use Radiator GlobalVar's instead.

Please let us know your results.

regards

Hugh


On 8/4/2026 17:18, Dubravko Penezic wrote:

Hi Hugh,

configuration is follow :


Trace 4

LogTraceId
LogMicroseconds

DbDir   /etc/radiator
LogDir  /var/log/radiator
LogFile %L/radiator-test.log

AuthPort 1812
AcctPort 1813

DictionaryFile /opt/radiator/radiator/dictionary

<Client 10.10.10.10>
  Secret PeroPero
  StatusServer off
</Client>

<Realm DEFAULT>

  RewriteUsername s/^(.+)(\.hs@)(mali\.hr)$/$1/i

  <AuthBy LDAP2>

    Host ldapi:///

#    Port

    Timeout 5
    FailureBackoffTime 60

    UseSASL

    SASLMechanism EXTERNAL

    BaseDN %0=%1,dc=mali,dc=hr

    Scope base

    UsernameAttr uid

    ServerChecksPassword
    UnbindAfterServerChecksPassword

    AuthenProto PAP

    AuthAttrDef hrEduPersonExpireDate,Connect-Info,reply

  </AuthBy>

</Realm>


Debug log output is :
00000000 Wed Apr  8 09:07:55 2026 569528: DEBUG: Radius::JSON backend is Cpanel::JSON::XS version 4.39 00000000 Wed Apr  8 09:07:55 2026 569652: DEBUG: SCTP socket API extensions not available 00000000 Wed Apr  8 09:07:55 2026 569705: DEBUG: Finished reading configuration file '/etc/radiator/radiator-test.conf' 00000000 Wed Apr  8 09:07:55 2026 729564: DEBUG: Radius::JSON backend is Cpanel::JSON::XS version 4.39 00000000 Wed Apr  8 09:07:55 2026 729669: DEBUG: SCTP socket API extensions not available 00000000 Wed Apr  8 09:07:55 2026 729718: DEBUG: Finished reading configuration file '/etc/radiator/radiator-test.conf' 00000000 Wed Apr  8 09:07:55 2026 729860: DEBUG: Reading RADIUS dictionary file '/opt/radiator/radiator/dictionary' 00000000 Wed Apr  8 09:07:55 2026 797863: INFO: Using Net::SSLeay 1.94 with SSL/TLS library version 0x30500050 (OpenSSL 3.5.5 27 Jan 2026) 00000000 Wed Apr  8 09:07:55 2026 797949: DEBUG: SSL/TLS library and Net::SSLeay support set_default_passwd_cb and related functions 00000000 Wed Apr  8 09:07:55 2026 798061: DEBUG: This system is IPv6 capable. IPv6 capability provided by: core 00000000 Wed Apr  8 09:07:55 2026 798171: WARNING: Startup check could not load Radius::UtilXS or Digest::MD4. See Radiator reference manual for DisabledRuntimeChecks parameter 00000000 Wed Apr  8 09:07:55 2026 798283: DEBUG: Creating authentication socket 0.0.0.0 port 1812 00000000 Wed Apr  8 09:07:55 2026 798423: DEBUG: Creating accounting socket 0.0.0.0 port 1813 00000000 Wed Apr  8 09:07:55 2026 798529: NOTICE: Server started: Radiator 4.30 on pero.mali.hr 
51c516c0 Wed Apr  8 09:08:22 2026 962489: DEBUG: Packet dump:
51c516c0 *** Received from 10.10.10.10 port 48750 ....
51c516c0 Code:       Access-Request
51c516c0 Identifier: 135
51c516c0 Authentic: [<131><191><178>[<28><17><151><135><235>|)<205>W<249><189> 
51c516c0 Attributes:
51c516c0     Message-Authenticator = <150><131><133>zb<237><131>+y<230><178><8>x<171><158>H 
51c516c0     User-Name = "[email protected]"
51c516c0     User-Password = ji<155><5>)<194><206><143><152><176><223>(6<148><226><134>
51c516c0 Wed Apr  8 09:08:22 2026 962720: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier '' 51c516c0 Wed Apr  8 09:08:22 2026 964567: DEBUG: Rewrote user name to [email protected] 51c516c0 Wed Apr  8 09:08:22 2026 964699: DEBUG: SessINTERNAL: Deleting session for [email protected], 161.53.2.218, 51c516c0 Wed Apr  8 09:08:22 2026 964785: DEBUG: Handling with Radius::AuthLDAP2: 00000000 Wed Apr  8 09:08:22 2026 964943: INFO: AuthLDAP2 Connecting to ldapi:/// port 389 00000000 Wed Apr  8 09:08:22 2026 965184: ERR: AuthLDAP2 Could not open LDAP connection to ldapi:/// port 389. Backing off for 60 seconds. 51c516c0 Wed Apr  8 09:08:22 2026 965264: DEBUG: AuthBy LDAP2 result: IGNORE, User database access error 51c516c0 Wed Apr  8 09:08:22 2026 965349: DEBUG: Access ignored for [email protected]: User database access error 
7233ee90 Wed Apr  8 09:08:27 2026 967645: DEBUG: Packet dump:
7233ee90 *** Received from 10.10.10.10 port 48750 ....
7233ee90 Code:       Access-Request
7233ee90 Identifier: 135
7233ee90 Authentic: [<131><191><178>[<28><17><151><135><235>|)<205>W<249><189> 
7233ee90 Attributes:
7233ee90     Message-Authenticator = <150><131><133>zb<237><131>+y<230><178><8>x<171><158>H 
7233ee90     User-Name = "[email protected]"
7233ee90     User-Password = ji<155><5>)<194><206><143><152><176><223>(6<148><226><134>
7233ee90 Wed Apr  8 09:08:27 2026 967957: INFO: Duplicate request id 135 received from 161.53.2.218(48750): ignored 
ae817440 Wed Apr  8 09:08:32 2026 972748: DEBUG: Packet dump:
ae817440 *** Received from 10.10.10.10 port 48750 ....
ae817440 Code:       Access-Request
ae817440 Identifier: 135
ae817440 Authentic: [<131><191><178>[<28><17><151><135><235>|)<205>W<249><189> 
ae817440 Attributes:
ae817440     Message-Authenticator = <150><131><133>zb<237><131>+y<230><178><8>x<171><158>H 
ae817440     User-Name = "[email protected]"
ae817440     User-Password = ji<155><5>)<194><206><143><152><176><223>(6<148><226><134>
I did small redacted action on conf and log , but only on IP address, username parts.
From my point of view, RADIATOR code isnt able to connect to local LDAP service using SASL , dosnt meter what request contain. Bu I may be wrong. 

Regards,
Dubravko


On 4/8/26 7:37 AM, Dubravko Penezic via radiator wrote:

Hi Hugh,
indirectly you give very good advice :) ... try with clean configuration .
I have relatively complex configuration across multiple files and some Perl codes, so it is somehow hard to do proper redact. However it is very easy for me to create simple  clean example for test. 

I will do that today and send findings and configuration.

Regards,
Dubravko

On 4/8/26 2:01 AM, Hugh Irvine wrote:


Hello Dubravko -

Could you please send us a redacted copy of the configuration file?

I've not seen a connection string like the one you show below?

thanks

Hugh


On 7/4/2026 23:48, Dubravko Penezic via radiator wrote:

Hi,
few days ago we change from Debian 12 to Debian 13 , and working configuration of RADIATOR 4.30-1 stop working on part that connect to LDAP (OpenLDAP) service on same server. 

Error is as following :
00b6e9f0 Tue Apr  7 15:38:58 2026 533634: DEBUG: Handling with Radius::AuthLDAP2: 00000000 Tue Apr  7 15:38:58 2026 533789: INFO: AuthLDAP2 Connecting to ldapi:/// port 389 00000000 Tue Apr  7 15:38:58 2026 534044: ERR: AuthLDAP2 Could not open LDAP connection to ldapi:/// port 389. Backing off for 60 seconds.
I did check slapd configuration end check ldapi:/// EXTERNAL authentication from command line, and impersonate like radiator user everything work correctly , "only" RADIATOR is not able to connect. 

Any idea ? or debugging options ?

Regards,

Dubravko Penezic

Srce


_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator




_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator



_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator

Reply via email to