eDir Universal password implementation.

Peter Lambrechtsen peter at crypt.co.nz
Fri Dec 7 22:27:29 CET 2012


On Sat, Dec 8, 2012 at 9:39 AM, Olivier Beytrison <olivier at heliosnet.org>wrote:

> > And here, since you've already checked your chap password against the
> > eDir password by sucking it cleartext over ssl out via Universal
> > Password you don't need to double check it :)
>
> The goal here is not to check if the password is valid. With universal
> password, wi know it is valid. We check here if the user is allowed to
> log in. If his account is locked, the bind fail. If the password is
> expired, it will consume the loginGrace, until it reaches 0, and the
> bind will also fail. So it's really about checking the account policy of
> eDirectory
>
> Though the comments in debug could be more specific I admit.
>

Ahh fair enough, we map the loginDisabled and expirationDate to dummy VSAs
and check it in FreeRadius rather than passing that back as part of a bind
to LDAP.  Helps save ~30ms from the Auth time, and with ~1mil subs in the
LDAP database, that's time worth saving.

Thanks for doing the work to add eDir support back in again.  It "was"
going to be one of our major stumbling blocks in moving to FR3.

I'll work over this downtime coming up to christmas to write a script to
enable others to perform functional tests against eDir, since all you
really need is to download the software, and load up one LDIF with some
test users & a universal password policy to test the functionality.



>
> Olivier
> --
>
>  Olivier Beytrison
>  Network & Security Engineer, HES-SO Fribourg
>  Mobile: +41 (0)78 619 73 53
>  Mail: olivier at heliosnet.org
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/devel.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20121208/b0ffdda8/attachment-0001.html>


More information about the Freeradius-Devel mailing list