Old password 'grace period'

Ivan Kalik tnt at kalik.net
Thu Jun 25 11:17:34 CEST 2009


>> >
>> > so, what you've actually got to do is run the pap method twice.
>> > once for the user-name/password from sql_new and once for the
>> > user-name/password from sql_old.   one of those methods would
>> > work for a valid user....
>> >
>> > thats a funky bit of group/failover requirement that'll have to
>> > be cooked up...maybe
>> >
>> > group {
>> >   sql_new {
>> >   pap
>> >   ok = return
>> >   }
>> >   sql_old {
>> >   pap
>> >   ok = return
>> >   }
>> > }
>> >
>> > or something along those broken lines ;-)
>> >
>> > alan
>
> [JK] freeradius does not like anything like that added into that
> section.  On start-up, I get:
>
> /etc/raddb/sites-enabled/default[168]: Failed to parse "sql_new"
> subsection.
> /etc/raddb/sites-enabled/default[62]: Errors parsing authorize section.
> Errors initializing modules

You should write your custom authentication script.

This can be made to work with standard modules/attributes for pap requests
with some unlang gymnastics in Post-Auth-Type Reject. But mschap will need
custom script. You can utilize existing mschap module but you will need to
remove from the list NT and LM passwords created with first password,
before you try to call it again with replacement password.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list