On 07.12.2012 21:32, Peter Lambrechtsen wrote:
You shouldn't need your second LDAP in the post-auth section as per (0) ldap : expand: '%{Stripped-User-Name}' -> '' (0) ldap : ... expanding second conditional (0) ldap : escape: 'olivier.beytriso' -> 'olivier.beytriso' (0) ldap : expand: '%{User-Name}' -> 'olivier.beytriso' (0) ldap : expand: '(uid=%{%{Stripped-User-Name}:-%{User-Name}})' -> '(uid=olivier.beytriso)' (0) ldap : expand: 'ou=people,o=hes-so' -> 'ou=people,o=hes-so' rlm_ldap (ldap): Reserved connection (4) (0) ldap : Performing search in 'ou=people,o=hes-so' with filter '(uid=olivier.beytriso)' (0) ldap : User found at DN "cn=31935762,ou=courant,ou=people,o=hes-so" (0) ldap : Added the eDirectory password XXXXXXXXXX in check items as Cleartext-Password
Yay!.. That's what the eDir code is all about :)
Yep, password auto-magically retrieved in clear-text
Starting here
(0) group post-auth { (0) - entering group post-auth {...} rlm_ldap (ldap): Reserved connection (4) (0) ldap : Login attempt by "olivier.beytriso" with password "XXXXXXXXXX" (0) ldap : Bind as user "cn=31935762,ou=courant,ou=people,o=hes-so" was successful rlm_ldap (ldap): Released connection (4) (0) [ldap] = ok
And here, since you've already checked your chap password against the eDir password by sucking it cleartext over ssl out via Universal Password you don't need to double check it :)
The goal here is not to check if the password is valid. With universal password, wi know it is valid. We check here if the user is allowed to log in. If his account is locked, the bind fail. If the password is expired, it will consume the loginGrace, until it reaches 0, and the bind will also fail. So it's really about checking the account policy of eDirectory Though the comments in debug could be more specific I admit. Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org