eDir Universal password implementation.

Alan DeKok aland at deployingradius.com
Fri Dec 7 14:21:22 CET 2012 

Olivier Beytrison wrote:
> I've been working this morning in bringing back the eDirectory Universal
> Password feature into the new rlm_ldap module.

  That's great.  I don't like removing functionality.  But if I can't
test it, I can't use it.

> I'm only talking about Universal Password, not the NMAS two-factor auth,
> as this is something we don't have here so there's no way for me to test.

  OK.

> What have been done and is working :
> - reformatting edir_ldapext.c for the universal password code into a new
> file, some code cleanup

  Nice.  I'm picky on formatting, though.  But that's an easy fix.

> - implementing the "edir=yes/no" options for rlm_ldap
> - retrieve the password in ldap_authorize and add the corresponding
> Cleartext-Password attribute

  That's good.  I have minor issues with build options (WITH_EDIR,
etc.), so that people *without* it can still use rlm_ldap.  But that's
also an easy fix.

> Actually I can successfully connect using an eDir account with pap/.

  Good.

> What has to be done, and where I need some hints :
> - Now that we have the cleartext-password, we're not going in the
> ldap_authenticate anymore. In the past with Auth-Type=LDAP it was
> possible, but setting Auth-Type=LDAP triggers a module_fail after the
> rewrite.

  What does that mean?

> In order to enforce eDir account policy, we have to bind to the
> LDAP server. how would you recommend me to implement it ?

  Re-use the existing LDAP bind code.  The old module re-implemented
LDAP connections, for no good reason I could see.  The new module can
re-use (or not) LDAP connections.

> - add the IFDEF NOVELL around the added code (i can do it that's ok)

  That's easy to do.

> - adapt the Makefile in order to compile edir_upwd.c only if configure
> has --with-edir (need help on that point)

  That's easy to do.

> - return an error in the debug if universal password is not found, but
> do not fail the module (or should I ?)

  It should return a NOOP.

> Initial commit in my fork is visible here :
> https://github.com/olivierbeytrison/freeradius-server/commits/rlm_ldap_add_eDir_upwd_support
> 
> Btw, it has been some years since the last time I wrote C. Be gentle and
> advise, I'll try to make it as clean as possible. Any advice are welcome !

  If it works, and isn't horrid, it's good.

  Alan DeKok.

More information about the Freeradius-Devel mailing list