Old password 'grace period'

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Thu Jun 25 12:15:58 CEST 2009


On 25/6/09 10:33, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>> You should write your custom authentication script.
>
> theres probably a way of doing it all in config
> with unlang etc - but yes, a PERL script which does
> all of the SQL stuff and authentication itself
> is probably the way to go for it

I leave you guys alone for 5 minutes....

Use the sql modules to create the pool of database connections required. And list the sql instances in instantiate (the parser isn't clever enough to figure out that the module instances will be 
required for string expansion calls).


radiusd.conf

instantiate {
	sql_old
	sql_new
}



authenticate {
	mschap {
		update control {
			Cleartext-Password := "%{sql_new:SELECT <cleartext password query...>}"
		}
		mschap {
			reject = 2
		}
		if(reject){
			update control {
				Cleartext-Password := "%{sql_old:SELECT <cleartext password query...>}"
			}
			mschap
		}
	}
}

Don't use the automatic failover stuff, it's not appropriate here...

If this doesn't work, post the debug output. There are some issues with rcode priority assignments and unlang, but they're possible to work around.

Arran

-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2



More information about the Freeradius-Users mailing list