Michael Ströder wrote:
Arran Cudbard-Bell wrote:
Any progress on the testing?
I'll have to remove the code unless it's confirmed to be working.
I was pretty busy during the last days. Please give me two more days.
I'm testing git v3.1.x 36e1b02e926df5cd75d4d548694401535c607ca9. I'm simply using PAP with hashed passwords in LDAP attribute 'userPassword' (EAP-TTLS with PAP in real life, simple PAP here). Good, the search requests (conn=1044) contain the Session Tracking Control (OpenLDAP logs): 2015-06-29T10:47:05.316040+02:00 nb2 slapd-stroeder-de[5510]: conn=1044 op=1 [IP=10.1.1.5 NAME=radiusd USERNAME=michael-homelan] SRCH base="cn=radiusd,ou=services,dc=stroeder,dc=local" scope=2 deref=0 filter="(uid=michael-homelan)" 2015-06-29T10:47:05.316051+02:00 nb2 slapd-stroeder-de[5510]: conn=1044 op=1 [IP=10.1.1.5 NAME=radiusd USERNAME=michael-homelan] SRCH attr=userPassword radiusControlAttribute radiusRequestAttribute radiusReplyAttribute 2015-06-29T10:47:05.316244+02:00 nb2 slapd-stroeder-de[5510]: conn=1044 op=1 [IP=10.1.1.5 NAME=radiusd USERNAME=michael-homelan] SEARCH RESULT tag=101 err=0 nentries=1 text= It seems an additional LDAP connection conn=1045 is opened: 2015-06-29T10:47:05.317153+02:00 nb2 slapd-stroeder-de[5510]: conn=1045 fd=23 ACCEPT from IP=127.0.0.1:53074 (IP=0.0.0.0:1390) 2015-06-29T10:47:05.317219+02:00 nb2 slapd-stroeder-de[5510]: conn=1045 op=0 BIND dn="uid=radiusd,ou=sys,dc=stroeder,dc=local" method=128 2015-06-29T10:47:05.324982+02:00 nb2 slapd-stroeder-de[5510]: conn=1045 op=0 BIND dn="uid=radiusd,ou=sys,dc=stroeder,dc=local" mech=SIMPLE ssf=0 2015-06-29T10:47:05.325582+02:00 nb2 slapd-stroeder-de[5510]: conn=1045 op=0 RESULT tag=97 err=0 text= But now for checking the password there is no Session Tracking Control sent along with the bind request (conn=1044, err=49 is ok because I deliberately used a wrong password): 2015-06-29T10:47:05.325647+02:00 nb2 slapd-stroeder-de[5510]: conn=1044 op=2 BIND anonymous mech=implicit ssf=0 2015-06-29T10:47:05.325697+02:00 nb2 slapd-stroeder-de[5510]: conn=1044 op=2 BIND dn="uid=michael-homelan,cn=radiusd,ou=services,dc=stroeder,dc=local" method=128 2015-06-29T10:47:05.330285+02:00 nb2 slapd-stroeder-de[5510]: conn=1044 op=2 RESULT tag=97 err=49 text= But especially the client's IP address is interesting when looking for password brute-force attacks hence the Session Tracking control should also be sent along with the bind request. Ciao, Michael.