eDir Universal password implementation.
aland at deployingradius.com
Fri Dec 7 14:21:22 CET 2012
Olivier Beytrison wrote:
> I've been working this morning in bringing back the eDirectory Universal
> Password feature into the new rlm_ldap module.
That's great. I don't like removing functionality. But if I can't
test it, I can't use it.
> I'm only talking about Universal Password, not the NMAS two-factor auth,
> as this is something we don't have here so there's no way for me to test.
> What have been done and is working :
> - reformatting edir_ldapext.c for the universal password code into a new
> file, some code cleanup
Nice. I'm picky on formatting, though. But that's an easy fix.
> - implementing the "edir=yes/no" options for rlm_ldap
> - retrieve the password in ldap_authorize and add the corresponding
> Cleartext-Password attribute
That's good. I have minor issues with build options (WITH_EDIR,
etc.), so that people *without* it can still use rlm_ldap. But that's
also an easy fix.
> Actually I can successfully connect using an eDir account with pap/.
> What has to be done, and where I need some hints :
> - Now that we have the cleartext-password, we're not going in the
> ldap_authenticate anymore. In the past with Auth-Type=LDAP it was
> possible, but setting Auth-Type=LDAP triggers a module_fail after the
What does that mean?
> In order to enforce eDir account policy, we have to bind to the
> LDAP server. how would you recommend me to implement it ?
Re-use the existing LDAP bind code. The old module re-implemented
LDAP connections, for no good reason I could see. The new module can
re-use (or not) LDAP connections.
> - add the IFDEF NOVELL around the added code (i can do it that's ok)
That's easy to do.
> - adapt the Makefile in order to compile edir_upwd.c only if configure
> has --with-edir (need help on that point)
That's easy to do.
> - return an error in the debug if universal password is not found, but
> do not fail the module (or should I ?)
It should return a NOOP.
> Initial commit in my fork is visible here :
> Btw, it has been some years since the last time I wrote C. Be gentle and
> advise, I'll try to make it as clean as possible. Any advice are welcome !
If it works, and isn't horrid, it's good.
More information about the Freeradius-Devel