Old password 'grace period'

John Kane john.kane at prodeasystems.com
Wed Jun 24 22:07:27 CEST 2009 

I was hoping that would not be your response :)

> -----Original Message-----
> From: freeradius-users-
> bounces+john.kane=prodeasystems.com at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+john.kane=prodeasystems.com at lists.freeradius.org] On Behalf Of
> A.L.M.Buxey at lboro.ac.uk
> Sent: Wednesday, June 24, 2009 2:56 PM
> To: FreeRadius users mailing list
> Subject: Re: Old password 'grace period'
> 
> Hi,
> 
> > [JK] Tried that earlier Alan.  Seems whenever is set ok = return, we
> > process no further.  Here's the logs from a 'radtest', where
> testRadOld
> > is entered as the password (testRad is the new password, testRadOld
> is
> > the old password in the DB).  We see the first query, where there is
> a
> > password mismatch, but the second query never happens (it does in
> other
> > configuration settings, but I never see it compare BOTH passwords to
> > what was received):
> 
> ooh. me sir, me sir!  (said whilst jumping around holding hand
> in the air.
> 
> the SQL module is not doing the checking - its simply collecting
> the Cleartext-Password for that User-Name (and thus, if user
> exists its returning 'ok' - therefore the group returns ok
> 
> > [sql_new] User found in radcheck table
> > rlm_sql (sql_new): Released sql socket id: 3
> > +++[sql_new] returns ok
> > ++- group  returns ok
> 
> now, the PAP module kicks in - and that compares the value sent
> versus the value got from SQL....and so heres where it breaks.
> 
> > [pap] login attempt with password "testRadOld"
> > [pap] Using clear text password "testRad"
> > [pap] Passwords don't match
> > ++[pap] returns reject
> 
> ta da!
> 
> so, what you've actually got to do is run the pap method twice.
> once for the user-name/password from sql_new and once for the
> user-name/password from sql_old.   one of those methods would
> work for a valid user....
> 
> thats a funky bit of group/failover requirement that'll have to
> be cooked up...maybe
> 
> group {
>   sql_new {
>   pap
>   ok = return
>   }
>   sql_old {
>   pap
>   ok = return
>   }
> }
> 
> or something along those broken lines ;-)
> 
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



This message is confidential to Prodea Systems, Inc unless otherwise indicated 
or apparent from its nature. This message is directed to the intended recipient 
only, who may be readily determined by the sender of this message and its 
contents. If the reader of this message is not the intended recipient, or an 
employee or agent responsible for delivering this message to the intended 
recipient:(a)any dissemination or copying of this message is strictly 
prohibited; and(b)immediately notify the sender by return message and destroy 
any copies of this message in any form(electronic, paper or otherwise) that you 
have.The delivery of this message and its information is neither intended to be 
nor constitutes a disclosure or waiver of any trade secrets, intellectual 
property, attorney work product, or attorney-client communications. The 
authority of the individual sending this message to legally bind Prodea Systems  
is neither apparent nor implied,and must be independently verified.

More information about the Freeradius-Users mailing list