Request about implementation of alternate authentication mechanism in freeradius
Dear all We are going to append binary code to some ldap modules - the goal is to enable ldap to use "alternate passwords" for some ldap entries. Means, every app using ldap bind will can use "alternate passwords" to verify the user access. Useful for the environment of mobile devices etc. My question is - does the freeradius team think about the implementation of this feature to the official freeradius binary code? Best regards Michal -- Michal Vymazal work: CESNET, z.s.p.o. Czech NREN operator AAI Department Zikova 4, 160 00 Praha 6 Czech Republic http://www.cesnet.cz/
On 29 Apr 2014, at 13:44, Michal Vymazal <Michal.Vymazal@cesnet.cz> wrote:
Dear all
We are going to append binary code to some ldap modules
Guessing you mean patching the src, rather than going in their with a hex editor...
- the goal is to enable ldap to use "alternate passwords" for some ldap entries. Means, every app using ldap bind will can use "alternate passwords" to verify the user access. Useful for the environment of mobile devices etc.
I'm not sure what you mean by this? Surely the attribute for LDAP bind is determined by the LDAP server not FreeRADIUS? If you mean retrieving the values of multiple passwords attributes you can already do that in 2.x.x and 3.x.x?
My question is - does the freeradius team think about the implementation of this feature to the official freeradius binary code?
Maybe if you can explain it a bit better. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 29 Apr 2014, at 14:15, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 29 Apr 2014, at 13:44, Michal Vymazal <Michal.Vymazal@cesnet.cz> wrote:
Dear all
We are going to append binary code to some ldap modules
Guessing you mean patching the src, rather than going in their with a hex editor...
*there even. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Of course src :-) We will prepare a "light" technical documentation of this issue and I will post the document URL to this mailing list. Michal Dne 29.4.2014 15:15, Arran Cudbard-Bell napsal(a):
On 29 Apr 2014, at 13:44, Michal Vymazal <Michal.Vymazal@cesnet.cz> wrote:
Dear all
We are going to append binary code to some ldap modules
Guessing you mean patching the src, rather than going in their with a hex editor...
- the goal is to enable ldap to use "alternate passwords" for some ldap entries. Means, every app using ldap bind will can use "alternate passwords" to verify the user access. Useful for the environment of mobile devices etc.
I'm not sure what you mean by this?
Surely the attribute for LDAP bind is determined by the LDAP server not FreeRADIUS?
If you mean retrieving the values of multiple passwords attributes you can already do that in 2.x.x and 3.x.x?
My question is - does the freeradius team think about the implementation of this feature to the official freeradius binary code?
Maybe if you can explain it a bit better.
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Michal Vymazal work: CESNET, z.s.p.o. AAI Department Zikova 4, 160 00 Praha 6 Czech Republic http://www.cesnet.cz/
On Tue, Apr 29, 2014 at 02:44:12PM +0200, Michal Vymazal wrote:
We are going to append binary code to some ldap modules - the goal is to enable ldap to use "alternate passwords" for some ldap entries. Means, every app using ldap bind will can use "alternate passwords" to verify the user access. Useful for the environment of mobile devices etc.
This is difficult to understand, but sounds like you want to just use two instances of ldap, checking different LDAP password attributes, with failover? In which case, no code changes required. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
No exactly. We want to enable to ldap to use more than one password for one service. Means - hash no. 1 not match - ldap will try the hash no. 2 etc. Michal Dne 29.4.2014 16:02, Matthew Newton napsal(a):
On Tue, Apr 29, 2014 at 02:44:12PM +0200, Michal Vymazal wrote:
We are going to append binary code to some ldap modules - the goal is to enable ldap to use "alternate passwords" for some ldap entries. Means, every app using ldap bind will can use "alternate passwords" to verify the user access. Useful for the environment of mobile devices etc.
This is difficult to understand, but sounds like you want to just use two instances of ldap, checking different LDAP password attributes, with failover? In which case, no code changes required.
Matthew
-- Michal Vymazal work: CESNET, z.s.p.o. AAI Department Zikova 4, 160 00 Praha 6 Czech Republic http://www.cesnet.cz/
Michal Vymazal wrote:
No exactly. We want to enable to ldap to use more than one password for one service.
Means - hash no. 1 not match - ldap will try the hash no. 2 etc.
That's a terrible design. It's slow and fragile. You should instead choose the password based on the server. If service is X, password is in OID X, etc. Alan DeKok.
On Tue, Apr 29, 2014 at 04:08:09PM +0200, Michal Vymazal wrote:
No exactly. We want to enable to ldap to use more than one password for one service.
Means - hash no. 1 not match - ldap will try the hash no. 2 etc.
So you configure one ldap instance (say, "ldap1") to do the first hash check, and a second ldap instance ("ldap2") to check the second hash, then do redundant { ldap1 ldap2 } so if the first check fails, the second one is tried? As on http://wiki.freeradius.org/config/Fail%20over Unless I'm missing something, I don't understand yet why this needs additional code. Although ldap is a lookup database not really an auth mechanism, so you might do two lookups, then call pap in a redundant section, for example. But the theory is the same. Matthew
Dne 29.4.2014 16:02, Matthew Newton napsal(a):
On Tue, Apr 29, 2014 at 02:44:12PM +0200, Michal Vymazal wrote:
We are going to append binary code to some ldap modules - the goal is to enable ldap to use "alternate passwords" for some ldap entries. Means, every app using ldap bind will can use "alternate passwords" to verify the user access. Useful for the environment of mobile devices etc.
This is difficult to understand, but sounds like you want to just use two instances of ldap, checking different LDAP password attributes, with failover? In which case, no code changes required.
Matthew
-- Michal Vymazal work: CESNET, z.s.p.o. AAI Department Zikova 4, 160 00 Praha 6 Czech Republic http://www.cesnet.cz/
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 04/29/2014 04:25 PM, Matthew Newton wrote:
Unless I'm missing something, I don't understand yet why this needs additional code. Although ldap is a lookup database not really an auth mechanism, so you might do two lookups, then call pap in a redundant section, for example. But the theory is the same.
I had a simillar case. It wasn't about auth attributes though. But the customer explicity required to lookup ldap subtree, and avoid multiple ldap queries. The catch is, ldap schema changes may require downtime or significant load, and in production... well, people prefer sleep over work at night:) Think reduced load on ldap server was less important, but it's nice side effect. I have patch for 2.2 somewhere. Interested in code anyone? Regards...
Two ldap servers is another idea, not usable in our case. What we need in the freeradius case is more than one password in the password_attribute = „radiusPassword“ Michal Dne 29.4.2014 16:25, Matthew Newton napsal(a):
On Tue, Apr 29, 2014 at 04:08:09PM +0200, Michal Vymazal wrote:
No exactly. We want to enable to ldap to use more than one password for one service.
Means - hash no. 1 not match - ldap will try the hash no. 2 etc.
So you configure one ldap instance (say, "ldap1") to do the first hash check, and a second ldap instance ("ldap2") to check the second hash, then do
redundant { ldap1 ldap2 }
so if the first check fails, the second one is tried?
As on http://wiki.freeradius.org/config/Fail%20over
Unless I'm missing something, I don't understand yet why this needs additional code. Although ldap is a lookup database not really an auth mechanism, so you might do two lookups, then call pap in a redundant section, for example. But the theory is the same.
Matthew
Dne 29.4.2014 16:02, Matthew Newton napsal(a):
On Tue, Apr 29, 2014 at 02:44:12PM +0200, Michal Vymazal wrote:
We are going to append binary code to some ldap modules - the goal is to enable ldap to use "alternate passwords" for some ldap entries. Means, every app using ldap bind will can use "alternate passwords" to verify the user access. Useful for the environment of mobile devices etc.
This is difficult to understand, but sounds like you want to just use two instances of ldap, checking different LDAP password attributes, with failover? In which case, no code changes required.
Matthew
-- Michal Vymazal work: CESNET, z.s.p.o. AAI Department Zikova 4, 160 00 Praha 6 Czech Republic http://www.cesnet.cz/
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Michal Vymazal work: CESNET, z.s.p.o. AAI Department Zikova 4, 160 00 Praha 6 Czech Republic http://www.cesnet.cz/
On 30 Apr 2014, at 09:21, Michal Vymazal <Michal.Vymazal@cesnet.cz> wrote:
Two ldap servers is another idea, not usable in our case.
What we need in the freeradius case is more than one password in the
password_attribute = „radiusPassword“
Then no, the code won't be merged back. You can already achieve what you want to do in v2.x.x by mapping the multiple LDAP attributes to Password-With-Header in the attrmap file. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
Josip Almasi -
Matthew Newton -
Michal Vymazal