On 25/6/09 12:01, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
I leave you guys alone for 5 minutes....
8-) as i said, theres probably a way of doing it
:P Granted, was trickier than it first appeared. After a brief discussion with Ivan, looks like this should work (he pointed out the security hole with not checking for a null old password)... instantiate { sql_old } authorize { # Retrieves credentials sql_new # Sets auth-type mschap mschap } authenticate { Auth-Type MS-CHAP { mschap { reject = 2 } if(reject){ # Could alternatively write the value of a custom attribute into Cleartext-password # if both old and new passwords were returned in the call to sql* in authorize. update control { Cleartext-Password := "%{sql_old:SELECT<cleartext password query...>}" } # Stop users logging in with null password (if there's no 'old' password set) if("%{control:Cleartext-Password}" == ''){ reject } # Remove stale password hashes created on first call to rlm_mschap update control { NT-Password -= "%{control:NT-Password}" LM-Password -= "%{control:LM-Password}" } mschap } } Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2