Old password 'grace period'

John Kane john.kane at prodeasystems.com
Wed Jun 24 21:23:07 CEST 2009 

> hmm, all you are doing is setting the values to what they
> normally are...you need something like
> 
> 
>                 group {
>                         sql_new {
>                         reject = 1
>                         ok = return
>                         }
>                         sql_old {
>                         reject = 1
>                         ok = return
>                         }
>                       }
> 
> 
> alan
> -

[JK] Tried that earlier Alan.  Seems whenever is set ok = return, we
process no further.  Here's the logs from a 'radtest', where testRadOld
is entered as the password (testRad is the new password, testRadOld is
the old password in the DB).  We see the first query, where there is a
password mismatch, but the second query never happens (it does in other
configuration settings, but I never see it compare BOTH passwords to
what was received):

++- entering group  {...}
[sql_new]       expand: %{User-Name} -> radTest
[sql_new] sql_set_user escaped user --> 'radTest'
rlm_sql (sql_new): Reserving sql socket id: 3
[sql_new]       expand: select repeat('1',1) as Id,tunnelid as
UserName,repeat('Cleartext-Password',1)   as Attribute, newkey as
Value,repeat(':=',1) as op from am_tunnelkey   where tunnelid
='%{SQL-User-Name}' ORDER BY id -> select repeat('1',1) as Id,tunnelid
as UserName,repeat('Cleartext-Password',1)   as Attribute, newkey as
Value,repeat(':=',1) as op from am_tunnelkey   where tunnelid ='radTest'
ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[sql_new] User found in radcheck table
rlm_sql (sql_new): Released sql socket id: 3
+++[sql_new] returns ok
++- group  returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "testRadOld"
[pap] Using clear text password "testRad"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed): [radTest]
(from client localhost port 1812)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> radTest
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 26 to 127.0.0.1 port 32800


Thanks,
John



This message is confidential to Prodea Systems, Inc unless otherwise indicated 
or apparent from its nature. This message is directed to the intended recipient 
only, who may be readily determined by the sender of this message and its 
contents. If the reader of this message is not the intended recipient, or an 
employee or agent responsible for delivering this message to the intended 
recipient:(a)any dissemination or copying of this message is strictly 
prohibited; and(b)immediately notify the sender by return message and destroy 
any copies of this message in any form(electronic, paper or otherwise) that you 
have.The delivery of this message and its information is neither intended to be 
nor constitutes a disclosure or waiver of any trade secrets, intellectual 
property, attorney work product, or attorney-client communications. The 
authority of the individual sending this message to legally bind Prodea Systems  
is neither apparent nor implied,and must be independently verified.

More information about the Freeradius-Users mailing list