Old password 'grace period'

John Kane john.kane at prodeasystems.com
Tue Jun 30 06:07:02 CEST 2009 

> Arran Cudbard-Bell
> 
> *sigh* the Coffee excuse doesn't work past lunch time does it...
> (missed out some curly braces)
> 
> instantiate {
> 	sql_old
> }
> 
> authorize {
> 	# Retrieves credentials
> 	sql_new
> 	# Sets auth-type mschap
> 	mschap
> }
> 
> authenticate {
> 	Auth-Type MS-CHAP {
> 		mschap {
> 			reject = 2
> 		}
> 		if(reject){
> 			# Could alternatively write the value of a
custom
> attribute into Cleartext-password
> 			# if both old and new passwords were returned in
the
> call to sql* in authorize.
> 			update control {
> 				Cleartext-Password :=
> "%{sql_old:SELECT<cleartext password query...>}"
> 			}
> 			# Stop users logging in with null password (if
> there's no 'old' password set)
> 			if("%{control:Cleartext-Password}" == ''){
> 				reject
> 			}
> 			# Remove stale password hashes created on first
call
> to rlm_mschap
> 			update control {
> 				NT-Password -= "%{control:NT-Password}"
> 				LM-Password -= "%{control:LM-Password}"
> 			}
> 			mschap
> 		}
> 	}
> }
> 

[JK] This works beautifully.....I want to thank Arran and others for the
quick response.  Very much appreciated.

John



This message is confidential to Prodea Systems, Inc unless otherwise indicated 
or apparent from its nature. This message is directed to the intended recipient 
only, who may be readily determined by the sender of this message and its 
contents. If the reader of this message is not the intended recipient, or an 
employee or agent responsible for delivering this message to the intended 
recipient:(a)any dissemination or copying of this message is strictly 
prohibited; and(b)immediately notify the sender by return message and destroy 
any copies of this message in any form(electronic, paper or otherwise) that you 
have.The delivery of this message and its information is neither intended to be 
nor constitutes a disclosure or waiver of any trade secrets, intellectual 
property, attorney work product, or attorney-client communications. The 
authority of the individual sending this message to legally bind Prodea Systems  
is neither apparent nor implied,and must be independently verified.

More information about the Freeradius-Users mailing list