(RADIATOR) Re: Feature request for AuthBy LDAP2
Jeremy Hinton
jgh at visi.net
Thu Jun 20 15:17:04 CDT 2002
Well, after digging around, i figured why not just do the fix
myself. So without further ado, following is a patch the basically enables
the functionality i mentioned below. It adds a new parameter, AuthCheckDN,
which (if defined and ServerChecksPassword is defined) is the DN used when
binding to check the password entered. If its not defined and
ServerChecksPassword is, the current behavior occurs (builds the Auth DN
from the results of the query). AuthCheckDN is expanded identically to
BaseDN, with %0 and %1 mapping to UsernameAttr and name, respectively.
There isn't any error checking on the value, aside from any done in the
expansion routines.
*** AuthLDAP2.pm.dist Thu Jun 20 15:49:56 2002
--- AuthLDAP2.pm Thu Jun 20 15:53:29 2002
***************
*** 33,39 ****
'SearchFilter' => 'string',
'HoldServerConnection' => 'flag',
'ServerChecksPassword' => 'flag',
! 'NoBindBeforeOp' => 'flag',
'Scope' => 'string',
'SSLVerify' => 'string',
'SSLCiphers' => 'string',
--- 33,40 ----
'SearchFilter' => 'string',
'HoldServerConnection' => 'flag',
'ServerChecksPassword' => 'flag',
! 'AuthCheckDN' => 'string',
! 'NoBindBeforeOp' => 'flag',
'Scope' => 'string',
'SSLVerify' => 'string',
'SSLCiphers' => 'string',
***************
*** 348,356 ****
# Now we have the DN, we can get the server to
# check the username if necessary
if ($self->{ServerChecksPassword})
! {
$got_password = 1;
! if (!$self->checkPassword($dn, $p->decodedPassword()))
{
# LDAP server did not like the password
$user->get_check->add_attr('Encrypted-Password',
--- 349,363 ----
# Now we have the DN, we can get the server to
# check the username if necessary
if ($self->{ServerChecksPassword})
! {
! my $auth_check_dn = $dn;
! if ($self->{AuthCheckDN}) {
! $auth_check_dn = &Radius::Util::format_special
! ($self->{AuthCheckDN},
! $p, undef);
! }
$got_password = 1;
! if (!$self->checkPassword($auth_check_dn,
$p->decodedPassword()))
{
# LDAP server did not like the password
$user->get_check->add_attr('Encrypted-Password',
On Thu, 20 Jun 2002, Jeremy Hinton wrote:
>
> I would like to be able to change the bind dn when using
> ServerChecksPassword in AuthBy LDAP2. In digging through AuthLDAP2.pm, it
> looks like the DN used for binding in this scenario is automatically the
> one returned from the previous LDAP search. We're using Radiator together
> with the LDAP server built into the CommuniGate commercial mail server.
> This LDAP server has a special ability to authenticate via multiple
> methods, but only if the bind request comes through in a certain format,
> specifically as "mail=user at domain" or just "user at domain" as the bind dn.
>
> What i would love to see is either a new parameter to AuthBy LDAP2
> (say PasswordCheckDN) or the ability to add an argument to the existing
> ServerChecksPassword to allow you to use a different format DN for the
> connection. The value would nee to support the same expansion as the
> BaseDN parameter. So, im my case, i would use something like this:
>
> ServerChecksPassword mail=%U@%R
>
> If something like this could be considered it would be greatly
> appreciated. And many thanks for continuing the hard work on an excellent
> peice of software!
>
> - jeremy
>
> // Jeremy Hinton VisiNet
> // jgh at visi.net NOC Manager
> // I've wrestled with reality for 35 years, doctor,
> // and I'm happy to state I finally won out over it. -Elwood P Dowd
>
>
>
>
>
// Jeremy Hinton VisiNet
// jgh at visi.net NOC Manager
// I've wrestled with reality for 35 years, doctor,
// and I'm happy to state I finally won out over it. -Elwood P Dowd
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list