Theparanoidone Theparanoidone wrote:
We are working on a patch.
Good, thanks.
We're of the opinion that Apple's version rlm_mschap / opendir included with freeradius is missing something.
It appears they were only considering someone entering a failed login/password combo... not a user with a password reset or an expired password. Here is the line from opendir.c:
Pretty much, yes. Expired passwords, or password resets are "failed logins", just like incorrect passwords.
====== if (status != eDSNoErr) { errno = EACCES; radlog(L_ERR, "rlm_mschap: authentication failed %d", status); /* <-- returns -14091 (eDSAuthMethodNotSupported) -14090 */ return RLM_MODULE_REJECT; } ======
The comment provided makes it seem like they only expected error -14090...
So? It's a comment. It doesn't affect the way that the code operates.
-14090: eDSAuthFailed 0: eDSNoErr
But what about?
-14161: eDSAuthNewPasswordRequired -14162: eDSAuthPasswordExpired
They all fall into the same class: failed authentication.
Possible solutions: --------------------------- Solution 1) Edit the opendir.c module to simple detect error status -14161 and -14162... and simply set the status to 0 instead.
Absolutely not. Expired passwords are *not* OK.
Solution 2) Try and rig up something in Post-Auth-Type REJECT {...} to override the failed login and force the response to Auth-Accept. Perhaps, some pseudo conf code that says if reject-message == -14162 || reject-message == -14161 ... then "ok update auth-type := accept
No. That's just as bad.
(PS... looks like this has been an issue for awhile??? we are new to freeradius... but I found your post here: http://www.opensubscriber.com/message/freeradius-devel@lists.freeradius.org/... from 3 years ago ... are we the only few interested in port security and a password policy?)
Nonsense. That is not a good conclusion. The real reason is that very few people do password changes via MS-CHAP. Most people do it via Active Directory, LDAP, web pages, etc. Alan DeKok.