Re: Old password 'grace period'
On 25/6/09 13:11, Ivan Kalik wrote:
I have tested something like this yesterday - it doesn't. You can't just replace Cleartext-Password. NT-Password and LM-Passowrd were created for the "new" password and mschap module will reuse them, completely ignoring "old" Cleartext-Password. They need to be removed or replaced before mschap module is called again. Writes the NT-Password and LM-Password values back to the control list of the request.
But seeing as the values are just being stored in the control list of the request, we can remove them using unlang.
authenticate { mschap {
Just for the readers of the list - the section is Auth-Type MS-CHAP not mschap.
Oops, yep Auth-Type MS-CHAP.
update control { Cleartext-Password := "%{sql_new:SELECT<cleartext password query...>}" } mschap { reject = 2 }
Ah, so that's how you make if work.
Yep. Otherwise reject has a priority/opcode of reject, and the request is rejected ;)
if(reject){ update control { NT-Password -= "%{control:NT-Password}" LM-Password -= "%{control:LM-Password}"
Yes, I had that lined up, but couldn't get if to work.
Cleartext-Password := "%{sql_old:SELECT<cleartext password query...>}" } mschap } } }
Ok, pap failover done this way now works. I can't test mschap from where I am right now but I don't see a problem any more. My construction is slightly different - I read only replacement password from sql assuming that the usual one is pulled by regular sql queries (my scenario has Cleartext-Password and custom attribute Old-Password both in same radcheck table).
That should work fine too. So you can just swap out the first update control { Cleartext-Password .... } bit for a call to the SQL module. Though you'd probably want to put it in the authorise section... So it'd be something like : instantiate { sql_old } authorize { # Retrieves credentials sql_new # Sets auth-type mschap mschap } authenticate { Auth-Type MS-CHAP { mschap { reject = 2 } if(reject){ # Remove stale password hashes created on first call to rlm_mschap update control { NT-Password -= "%{control:NT-Password}" LM-Password -= "%{control:LM-Password}" Cleartext-Password := "%{sql_old:SELECT<cleartext password query...>}" } mschap } } } Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
participants (1)
-
Arran Cudbard-Bell