username with sereral passwords. Which op value?
John Dennis
jdennis at redhat.com
Wed Apr 22 19:31:22 CEST 2009
Santiago Balaguer García wrote:
> Hi,
>
> I want the 'san0001' user has two passwords. There is in my
> radcheck table:
>
> Username | Attribute | op | value
> ------------------------------------
> san0001 Password ?? santi1
> san0001 Password ?? santi2
>
> Which op value have to use (=, :=, +=, ==) ?
Multiple valid passwords for a single user is a bad idea for a host of
reasons. On top of that the username field should be a unique primary
key disallowing duplicates enforced by the SQL database. I have no clue
what it means to query a username and get multiple rows back and I
suspect the internal code would be confused by this as well (note I have
not looked at the code in question, but I would suspect it would do one
of two things, use the first row returned or fail with an error if
multiple rows). The concept of iterating over multiple rows until a
password finally works is so dubious I would be most surprised if it
were coded this way (and if it was I'd consider it a bug and security flaw).
The short answer is don't do this and don't expect the server to work
this way.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090422/4f64c7c7/attachment.html>
More information about the Freeradius-Users
mailing list