On Fri, Mar 11, 2011 at 06:13:45PM -0300, Herbert Fischer wrote:
This module will do OTP two way authentication. It will extract part of the password (ex.: latest 6 digits) to verify and the remaining "password" will be returned to Freeradius to test against another module (LDAP for example). ... What do you suggest? Is there any other way to do this two way authentication without needing to develop a module for it?
Have you looked in the src/modules directory? And you've seen that there's src/modules/rlm_otp already? If that does the OTP part in the way you need, then splitting the password into two is easy. if (User-Password =~ /^(......)(.*)$/) { update request { # The OTP password for rlm_otp to check User-Password = "%{1}" # The remainder to check against mysql or ldap Tmp-String-0 = "%{2}" } } ... continue See "man unlang" for the details. This won't work for CHAP-Challenge/CHAP-Password, obviously - only PAP. (rlm_otp appears to be undocumented, so if you want to update http://wiki.freeradius.org/Rlm_otp as you work with it, that would be a useful contribution) Otherwise, to make a completely custom module which links against an existing C library, you can start with rlm_example and borrow logic from other modules as required. But you're right, it's tricky to do properly. If that were necessary, I'd say you'd be better off using rlm_perl or rlm_python and writing the logic there. Regards, Brian.