On Sat, Dec 8, 2012 at 9:39 AM, Olivier Beytrison
<olivier@heliosnet.org> wrote:
> And here, since you've already checked your chap password against the
> eDir password by sucking it cleartext over ssl out via Universal
> Password you don't need to double check it :)
The goal here is not to check if the password is valid. With universal
password, wi know it is valid. We check here if the user is allowed to
log in. If his account is locked, the bind fail. If the password is
expired, it will consume the loginGrace, until it reaches 0, and the
bind will also fail. So it's really about checking the account policy of
eDirectory
Though the comments in debug could be more specific I admit.
Ahh fair enough, we map the loginDisabled and expirationDate to dummy VSAs and check it in FreeRadius rather than passing that back as part of a bind to LDAP. Helps save ~30ms from the Auth time, and with ~1mil subs in the LDAP database, that's time worth saving.
Thanks for doing the work to add eDir support back in again. It "was" going to be one of our major stumbling blocks in moving to FR3.
I'll work over this downtime coming up to christmas to write a script to enable others to perform functional tests against eDir, since all you really need is to download the software, and load up one LDIF with some test users & a universal password policy to test the functionality.
Olivier