eDir Universal password implementation.

Olivier Beytrison olivier at heliosnet.org
Fri Dec 7 14:03:59 CET 2012


I've been working this morning in bringing back the eDirectory Universal
Password feature into the new rlm_ldap module.

I'm only talking about Universal Password, not the NMAS two-factor auth,
as this is something we don't have here so there's no way for me to test.

What have been done and is working :
- reformatting edir_ldapext.c for the universal password code into a new
file, some code cleanup
- implementing the "edir=yes/no" options for rlm_ldap
- retrieve the password in ldap_authorize and add the corresponding
Cleartext-Password attribute

Actually I can successfully connect using an eDir account with pap/.

What has to be done, and where I need some hints :
- Now that we have the cleartext-password, we're not going in the
ldap_authenticate anymore. In the past with Auth-Type=LDAP it was
possible, but setting Auth-Type=LDAP triggers a module_fail after the
rewrite. In order to enforce eDir account policy, we have to bind to the
LDAP server. how would you recommend me to implement it ?
- add the IFDEF NOVELL around the added code (i can do it that's ok)
- adapt the Makefile in order to compile edir_upwd.c only if configure
has --with-edir (need help on that point)
- return an error in the debug if universal password is not found, but
do not fail the module (or should I ?)

Initial commit in my fork is visible here :

Btw, it has been some years since the last time I wrote C. Be gentle and
advise, I'll try to make it as clean as possible. Any advice are welcome !


 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mobile: +41 (0)78 619 73 53
 Mail: olivier at heliosnet.org

More information about the Freeradius-Devel mailing list