On Sat, Dec 8, 2012 at 9:39 AM, Olivier Beytrison <olivier@heliosnet.org>wrote:
And here, since you've already checked your chap password against the eDir password by sucking it cleartext over ssl out via Universal Password you don't need to double check it :)
The goal here is not to check if the password is valid. With universal password, wi know it is valid. We check here if the user is allowed to log in. If his account is locked, the bind fail. If the password is expired, it will consume the loginGrace, until it reaches 0, and the bind will also fail. So it's really about checking the account policy of eDirectory
Though the comments in debug could be more specific I admit.
Ahh fair enough, we map the loginDisabled and expirationDate to dummy VSAs and check it in FreeRadius rather than passing that back as part of a bind to LDAP. Helps save ~30ms from the Auth time, and with ~1mil subs in the LDAP database, that's time worth saving. Thanks for doing the work to add eDir support back in again. It "was" going to be one of our major stumbling blocks in moving to FR3. I'll work over this downtime coming up to christmas to write a script to enable others to perform functional tests against eDir, since all you really need is to download the software, and load up one LDIF with some test users & a universal password policy to test the functionality.
Olivier --
Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html