Configured as follows: One freeradius is configured like this: https://wiki.freeradius.org/guide/2FA-A ... plus-Proxy The second freeradius is configured as follows: https://www.linotp.org/howtos/howto-radius.html That is, the idea is first go for the username /password in LDAP, then get a temporary password and check it The problem is that it doesn't work: Login incorrect (ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswordOTP] In other words, passwords are glued together. I don 't understand how to configure it
The general practice is to put the 6-digit OTP first, then the password. Then, split them via something like this:
if (User-Password =~ /^(......)(.*)$/) { update request { User-Password := "%{2}" OTP-Password := "%{1}" } }
You will need to edit raddb/dictionary in order to define OTP-Password.
12 марта 2020 г., в 11:05, Клеусов Владимир Сергеевич <Kleusov.Vladimir@wildberries.ru> написал(а):
Thanks. In which file do I need to separate the LDAP and OTP password ? How do I edit a dictionary ?
11 марта 2020 г., в 23:42, Alan DeKok <aland@deployingradius.com> написал(а):
On Mar 11, 2020, at 10:31 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
In freeradius logs, this is ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswd2217287 First the request for a normal password and then the otp 2217287 What's wrong ?
The user entered the password followed by the OTP, all as one field. Then, you configured FreeRADIUS to send all that to LDAP.
The general practice is to put the 6-digit OTP first, then the password. Then, split them via something like this:
if (User-Password =~ /^(......)(.*)$/) { update request { User-Password := "%{2}" OTP-Password := "%{1}" } }
You will need to edit raddb/dictionary in order to define OTP-Password.
This lets you use User-Password as normal to connect to LDAP, and authenticate the user.
You can then check OTP-Password however you want.
Alan DeKok.