eDir Universal password implementation.

Olivier Beytrison olivier at heliosnet.org
Fri Dec 7 18:50:29 CET 2012


On 07.12.2012 18:07, Olivier Beytrison wrote:
> On 07.12.2012 17:54, Alan DeKok wrote:
>>
>>   I've pushed a one-character fix.
>>
> Found it also. and I also had to invert char * and size_t in my call in
> rlm_ldap.c
> 
> okay code working again.
> I'll push all those change to my repo
> 
code has been pushed along with some other fix/typo/formatting.

Things works on my side [1]. I'm happy with it. now it depends on you if
you want more rewriting of the code. If so I can test your change
whenever you want.

Olivier

[1] working example
rad_recv: Access-Request packet from host 127.0.0.1 port 39774, id=247,
length=87
        User-Name = "olivier.beytriso"
        CHAP-Password = 0x9960e4b86ea318e5b24xxxxxxxxxxxxx
        NAS-IP-Address = 160.98.240.25
        NAS-Port = 0
        Message-Authenticator = 0x0e83e1b97e7dd468e136da6be344114b
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0)   group authorize {
(0)  - entering group authorize {...}
(0)    policy filter_username {
(0)   - entering policy filter_username {...}
[snip]
(0)   - policy filter_username returns notfound
(0)   [preprocess] = ok
(0) chap : Setting 'Auth-Type := CHAP'
(0)   [chap] = ok
(0)   [mschap] = noop
(0)   [digest] = noop
(0) suffix : No '@' in User-Name = "olivier.beytriso", looking up realm NULL
(0) suffix : No such realm "NULL"
(0)   [suffix] = noop
(0) eap : No EAP-Message, not doing EAP
(0)   [eap] = noop
(0)   [files] = noop
(0) ldap :      expand: '%{Stripped-User-Name}' -> ''
(0) ldap :      ... expanding second conditional
(0) ldap :      escape: 'olivier.beytriso' -> 'olivier.beytriso'
(0) ldap :      expand: '%{User-Name}' -> 'olivier.beytriso'
(0) ldap :      expand: '(uid=%{%{Stripped-User-Name}:-%{User-Name}})'
-> '(uid=olivier.beytriso)'
(0) ldap :      expand: 'ou=people,o=hes-so' -> 'ou=people,o=hes-so'
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : Performing search in 'ou=people,o=hes-so' with filter
'(uid=olivier.beytriso)'
(0) ldap : User found at DN "cn=31935762,ou=courant,ou=people,o=hes-so"
(0) ldap : Added the eDirectory password XXXXXXXXXX in check items as
Cleartext-Password
(0) ldap :      control:hessoRole +=
"31935762-440774439#RORG-HEFR-EIFR-INTR-INFO#EMP#COL" (hessoRole)
rlm_ldap (ldap): Released connection (4)
rlm_ldap (ldap): Closing idle connection (0): Too many free connections
(5 > 3)
rlm_ldap (ldap): Closing connection (0)
(0)   [ldap] = ok
(0)   [expiration] = noop
(0)   [logintime] = noop
(0) Found Auth-Type = CHAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   group CHAP {
(0)  - entering group CHAP {...}
(0) chap : login attempt by "olivier.beytriso" with CHAP password
(0) chap : Using clear text password "XXXXXXXXXX" for user
olivier.beytriso authentication.
(0) chap : chap user olivier.beytriso authenticated succesfully
(0)   [chap] = ok
(0) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(0)   group post-auth {
(0)  - entering group post-auth {...}
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : Login attempt by "olivier.beytriso" with password "XXXXXXXXXX"
(0) ldap : Bind as user "cn=31935762,ou=courant,ou=people,o=hes-so" was
successful
rlm_ldap (ldap): Released connection (4)
(0)   [ldap] = ok
(0)   [exec] = noop
(0)    policy remove_reply_message_if_eap {
(0)   - entering policy remove_reply_message_if_eap {...}
(0)    ? if (reply:EAP-Message && reply:Reply-Message)
(0) ? Evaluating (reply:EAP-Message ) -> FALSE
(0) ? Skipping (reply:Reply-Message)
(0)    ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(0)     else else {
(0)    - entering else else {...}
(0)     [noop] = noop
(0)    - else else returns noop
(0)   - policy remove_reply_message_if_eap returns noop
Sending Access-Accept of id 247 from 127.0.0.1 port 1812 to 127.0.0.1
port 39774


-- 

 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mobile: +41 (0)78 619 73 53
 Mail: olivier at heliosnet.org


More information about the Freeradius-Devel mailing list