Old password 'grace period'
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Thu Jun 25 16:20:36 CEST 2009
On 25/6/09 14:53, Arran Cudbard-Bell wrote:
> On 25/6/09 12:01, A.L.M.Buxey at lboro.ac.uk wrote:
>> Hi,
>>
>>> I leave you guys alone for 5 minutes....
>>
>> 8-) as i said, theres probably a way of doing it
>
*sigh* the Coffee excuse doesn't work past lunch time does it... (missed out some curly braces)
instantiate {
sql_old
}
authorize {
# Retrieves credentials
sql_new
# Sets auth-type mschap
mschap
}
authenticate {
Auth-Type MS-CHAP {
mschap {
reject = 2
}
if(reject){
# Could alternatively write the value of a custom attribute into Cleartext-password
# if both old and new passwords were returned in the call to sql* in authorize.
update control {
Cleartext-Password := "%{sql_old:SELECT<cleartext password query...>}"
}
# Stop users logging in with null password (if there's no 'old' password set)
if("%{control:Cleartext-Password}" == ''){
reject
}
# Remove stale password hashes created on first call to rlm_mschap
update control {
NT-Password -= "%{control:NT-Password}"
LM-Password -= "%{control:LM-Password}"
}
mschap
}
}
}
--
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
More information about the Freeradius-Users
mailing list