Password Policy - Expired Password - mschap

[Theparanoidone Theparanoidone]

Greetings~

We are working on a patch.

We're of the opinion that Apple's version rlm_mschap / opendir included 
with freeradius is missing something.

It appears they were only considering someone entering a failed 
login/password combo... not a user with a password reset or an expired 
password.  Here is the line from opendir.c:

======
if (status != eDSNoErr) 
{
errno = EACCES;
radlog(L_ERR, "rlm_mschap: authentication failed %d", status); /* <-- 
returns -14091 (eDSAuthMethodNotSupported) -14090 */
return RLM_MODULE_REJECT;
}
======

The comment provided makes it seem like they only expected error -14090...

-14090: eDSAuthFailed
0: eDSNoErr

But what about?

-14161: eDSAuthNewPasswordRequired
-14162: eDSAuthPasswordExpired


Possible solutions:
---------------------------
Solution 1)  Edit the opendir.c module to simple detect error status -14161 and 
-14162... and simply set the status to 0 instead.  This should be "good enough" 
because we know the original password supplied was correct therefore... let the 
user proceed to full login through use of the login screens built in password 
prompt.   (This assumes a user is authenticating to a networked home login, and 
probably requires the client to be a Mac OS X client).

Solution 2) Try and rig up something in Post-Auth-Type REJECT {...}  to override 
the failed login and force the response to Auth-Accept.   Perhaps, some pseudo 
conf code that says if reject-message == -14162 || reject-message == -14161 ... 
then "ok update auth-type := accept


Can anyone provide a sample Post-Auth-Type Reject example to do this? 

Thanks in advance.

(PS... looks like this has been an issue for awhile??? we are new to 
freeradius... but I found your post here: 
 http://www.opensubscriber.com/message/freeradius-devel@lists.freeradius.org/5906511.html
 from 3 years ago ... are we the only few interested in port security and a 
password policy?)





----- Original Message ----
From: "Garber, Neal" <Neal.Garber at energyeast.com>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Sent: Wed, August 11, 2010 8:32:07 PM
Subject: RE: Password Policy - Expired Password - mschap

> if you enable the ldap/(opendirectory) option to "require user to change
> password on next login" the client is unable to connect.  

FreeRADIUS doesn't support password changes via MSCHAP.  Historically, Samba 
didn't even support it until a couple of years ago.  I believe support for this 
functionality was added to Samba 3.0.24 using a new helper protocol called 
ntlm-change-password-1.  


I posted something to the list asking if there was interest quite a while ago.  
Implementing this new helper protocol is not a trivial change to FreeRADIUS.  
Unfortunately, I haven't had enough free time to devote to implementing it yet.  
If you have the time to create the patch, I'll be one of the testers ;-)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html