Request about implementation of alternate authentication mechanism in freeradius

Michal Vymazal Michal.Vymazal at cesnet.cz
Wed Apr 30 10:21:47 CEST 2014 

Two ldap servers is another idea, not usable in our case.

What we need in the freeradius case is more than one password in the

password_attribute = „radiusPassword“


Michal

Dne 29.4.2014 16:25, Matthew Newton napsal(a):
> On Tue, Apr 29, 2014 at 04:08:09PM +0200, Michal Vymazal wrote:
>> No exactly.
>> We want to enable to ldap to use more than one password for one service.
>>
>> Means - hash no. 1 not match - ldap will try the hash no. 2  etc.
> 
> So you configure one ldap instance (say, "ldap1") to do the first
> hash check, and a second ldap instance ("ldap2") to check the second
> hash, then do
> 
>   redundant {
>     ldap1
>     ldap2
>   }
> 
> so if the first check fails, the second one is tried?
> 
> As on http://wiki.freeradius.org/config/Fail%20over
> 
> Unless I'm missing something, I don't understand yet why this
> needs additional code. Although ldap is a lookup database not
> really an auth mechanism, so you might do two lookups, then call
> pap in a redundant section, for example. But the theory is the
> same.
> 
> Matthew
> 
> 
> 
> 
>> Dne 29.4.2014 16:02, Matthew Newton napsal(a):
>>> On Tue, Apr 29, 2014 at 02:44:12PM +0200, Michal Vymazal wrote:
>>>> We are going to append binary code to some ldap modules - the goal is to
>>>> enable ldap to use "alternate passwords" for some ldap entries. Means,
>>>> every app using ldap bind will can use "alternate passwords" to verify
>>>> the user access. Useful for the environment of mobile devices etc.
>>>
>>> This is difficult to understand, but sounds like you want to just
>>> use two instances of ldap, checking different LDAP password
>>> attributes, with failover? In which case, no code changes
>>> required.
>>>
>>> Matthew
>>>
>>>
>>
>>
>> -- 
>> Michal Vymazal
>> work: CESNET, z.s.p.o.
>> AAI Department
>> Zikova 4, 160 00 Praha 6
>> Czech Republic
>> http://www.cesnet.cz/
>>
> 
> 
> 
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
> 
> 


-- 
Michal Vymazal
work: CESNET, z.s.p.o.
AAI Department
Zikova 4, 160 00 Praha 6
Czech Republic
http://www.cesnet.cz/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3244 bytes
Desc: Elektronicky podpis S/MIME
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140430/e172ac2e/attachment.bin>

More information about the Freeradius-Devel mailing list