On Jun 6, 2017, at 9:12 AM, Bjørn Mork <bjorn@mork.no> wrote:
I recently upgraded from FR 2.2.5 to FR 3.0.12 as part of an upgrade from Debian jessie to stretch. The config had to be migrated manually, which went mostly without problems.
That's good.
I use the unix module to load crypt passwords for a few system users. But there are also some unix users without any Unix password, which should exist as RADIUS users. "no Unix password" means that the users have a /etc/shadow entry which cannot be matched. So I need to ignore the Crypt-Password attribute for these users.
i.e. they have a password, but it's wrong?
In FR 2.x I explicitly set the Auth-Type to foribly ignore the invalid Crypt-Password, like this:
luser Cleartext-Password := "foo", Auth-Type := Local
But FR 3.x refused to accept Auth-Type "Local". So I tried to modify the entry to
luser Cleartext-Password := "foo"
in the hope that the pap module would be smart enough to figure out that the Cleartext-Password should override the invalid Crypt-Password. It was not.
Being unable to figure out the smart way, I just took the simple route out by doing
luser User-Password == "foo", Auth-Type := Accept
Don't do that...
so I'd really like to figure out a better way. Is there a smart way to override a Crypt-Password per user in FR 3.x? I guess I could generate crypted passwords from the cleartext passwords and simply override Crypt-Password in the users file. But that does not seem much nicer than the current User-Password match to me. What I really want is to be able to say "use this Cleartext-Password no matter what".
You can use "unlang" to check and edit the request: authorize { ... files ... if (Crypt-Password && Cleartext-Password) { update request { Crypt-Password !* ANY } } pap } Which should delete the Crypt-Password. See "man unlang" for more details. Alan DeKok.