FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode
Alan DeKok
aland at deployingradius.com
Mon Dec 3 14:11:59 CET 2018
On Dec 3, 2018, at 8:00 AM, michael böhm <ksk2 at gmx.net> wrote:
> we've decided to use the Radius-interface of the SecurID-server and not
> the proprietary protocol.
OK.
> Now I need unlang to make the access decision:
>
> LDAP-Plugin (accept) AND Proxy-Request to SecurID-Server (accept) =
> ACCEPT to NAS
>
> I tried it like that in the authorize-section but it did not work:
See the FAQ for "it doesn't work".
> filter_username
> preprocess
>
> # %{1} = ldap-password
> # %{2} = Token
>
> if (User-Password =~ /^(.+)([0-9]{6})$/) {
> update request {
> User-Password := "%{2}"
> }
> update control {
> Proxy-To-Realm := "securid"
> }
>
> update request {
> User-Password := "%{1}"
> }
>
> ldap
> }
>
> pap
>
> The proxying itself is working fine but not the correlation of the two
> results.
What does that mean?
> Could you please give me a minimal example of how to create this
> and-logic in unlang?
My $0.02 is to check the users password *first*, and then proxy to RSA if it passed.
if (User-Password =~ /^(.+)([0-9]{6})$/) {
update request {
User-Password := "%{2}"
}
# get the "known good" password from LDAP
ldap
# check the users password
# if this fails, the user will be automatically rejected
pap.authenticate
update control {
Proxy-To-Realm := "securid"
}
update request {
User-Password := "%{1}"
}
}
else {
... do stuff for non-RSA users ...
}
Alan DeKok.
More information about the Freeradius-Users
mailing list