On Dec 3, 2018, at 8:00 AM, michael böhm <ksk2@gmx.net> wrote:
we've decided to use the Radius-interface of the SecurID-server and not the proprietary protocol.
OK.
Now I need unlang to make the access decision:
LDAP-Plugin (accept) AND Proxy-Request to SecurID-Server (accept) = ACCEPT to NAS
I tried it like that in the authorize-section but it did not work:
See the FAQ for "it doesn't work".
filter_username preprocess
# %{1} = ldap-password # %{2} = Token
if (User-Password =~ /^(.+)([0-9]{6})$/) { update request { User-Password := "%{2}" } update control { Proxy-To-Realm := "securid" }
update request { User-Password := "%{1}" }
ldap }
pap
The proxying itself is working fine but not the correlation of the two results.
What does that mean?
Could you please give me a minimal example of how to create this and-logic in unlang?
My $0.02 is to check the users password *first*, and then proxy to RSA if it passed. if (User-Password =~ /^(.+)([0-9]{6})$/) { update request { User-Password := "%{2}" } # get the "known good" password from LDAP ldap # check the users password # if this fails, the user will be automatically rejected pap.authenticate update control { Proxy-To-Realm := "securid" } update request { User-Password := "%{1}" } } else { ... do stuff for non-RSA users ... } Alan DeKok.