Hi, regarding the LDAP-password change (question in my initial mail) I managed to create this configuration: authorize { filter_username preprocess # empty password which triggers password-change if (User-Password =~ /^$/ && !State) { update reply { Reply-Message := "Old Password: " # Setting the Prompt via radius did not work here, instead this had to be configured on the Cisco-Router # radius-server challenge-noecho Prompt := No-Echo } update session-state { Tmp-String-0 := "Old-Password-Phase" } challenge } # password-change, query for new password elsif (&session-state:Tmp-String-0 && &session-state:Tmp-String-0 =~ /^Old-Password-Phase$/ && State) { ldap pap pap.authenticate update reply { Reply-Message := "New Password: " Prompt := No-Echo } update session-state { Tmp-String-0 := "New-Password-Phase-1" } challenge } # password-change, query for new password again elsif (&session-state:Tmp-String-0 && &session-state:Tmp-String-0 =~ /^New-Password-Phase-1$/ && State) { update reply { Reply-Message := "New Password (repeat): " Prompt := No-Echo } update session-state { Tmp-String-1 := User-Password Tmp-String-0 := "New-Password-Phase-2" } challenge } # compare both and write it to LDAP elsif (&session-state:Tmp-String-0 && &session-state:Tmp-String-0 =~ /^New-Password-Phase-2$/ && State) { if(User-Password != &session-state:Tmp-String-1) { update reply { Reply-Message := "Passwords do not match.\n" } reject } # Call a script that finally writes the new password to LDAP (tbd) perl } else { ldap pap } } Which creates these prompts on a Cisco-router: root@dn-aaa-rad1:~# ssh user@cisco-router Password: Old Password: New Password: New Password (repeat): This should work but wouldn't it be a good idea to give the freeradius ldap module a method to change the password so that there is just one program talking to the LDAP? Best wishes Michael Gesendet: Dienstag, 04. Dezember 2018 um 13:43 Uhr Von: "Alan DeKok" <aland@deployingradius.com> An: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode On Dec 4, 2018, at 7:37 AM, michael böhm <ksk2@gmx.net> wrote:
Is my elsif(State ...)-statement a robust way to check if this packet belongs to a challenge-response of this exact user?
It's: a) the user specified in the User-Name, and b) a response to a previous Access-Challenge.
I want to avoid situations where a user might be able to authenticate with just a Token and no password.
Unless the user controls the RADIUS client, they can't generate an Access-Request that contains a State attribute.
We are testing the configuration now. Thank you very much for your help!
You're welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html