eDir Universal password implementation.

Olivier Beytrison olivier at heliosnet.org
Fri Dec 7 21:39:41 CET 2012 

On 07.12.2012 21:32, Peter Lambrechtsen wrote:
> You shouldn't need your second LDAP in the post-auth section as per
>     (0) ldap :      expand: '%{Stripped-User-Name}' -> ''
>     (0) ldap :      ... expanding second conditional
>     (0) ldap :      escape: 'olivier.beytriso' -> 'olivier.beytriso'
>     (0) ldap :      expand: '%{User-Name}' -> 'olivier.beytriso'
>     (0) ldap :      expand: '(uid=%{%{Stripped-User-Name}:-%{User-Name}})'
>     -> '(uid=olivier.beytriso)'
>     (0) ldap :      expand: 'ou=people,o=hes-so' -> 'ou=people,o=hes-so'
>     rlm_ldap (ldap): Reserved connection (4)
>     (0) ldap : Performing search in 'ou=people,o=hes-so' with filter
>     '(uid=olivier.beytriso)'
>     (0) ldap : User found at DN "cn=31935762,ou=courant,ou=people,o=hes-so"
>     (0) ldap : Added the eDirectory password XXXXXXXXXX in check items as
>     Cleartext-Password
> 
> 
> Yay!.. That's what the eDir code is all about :)
>  

Yep, password auto-magically retrieved in clear-text

> Starting here
>  
> 
>     (0)   group post-auth {
>     (0)  - entering group post-auth {...}
>     rlm_ldap (ldap): Reserved connection (4)
>     (0) ldap : Login attempt by "olivier.beytriso" with password
>     "XXXXXXXXXX"
>     (0) ldap : Bind as user "cn=31935762,ou=courant,ou=people,o=hes-so" was
>     successful
>     rlm_ldap (ldap): Released connection (4)
>     (0)   [ldap] = ok
> 
> 
> And here, since you've already checked your chap password against the
> eDir password by sucking it cleartext over ssl out via Universal
> Password you don't need to double check it :)

The goal here is not to check if the password is valid. With universal
password, wi know it is valid. We check here if the user is allowed to
log in. If his account is locked, the bind fail. If the password is
expired, it will consume the loginGrace, until it reaches 0, and the
bind will also fail. So it's really about checking the account policy of
eDirectory

Though the comments in debug could be more specific I admit.

Olivier
-- 

 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mobile: +41 (0)78 619 73 53
 Mail: olivier at heliosnet.org

More information about the Freeradius-Devel mailing list