(RADIATOR) Re: Feature request for AuthBy LDAP2
Hugh Irvine
hugh at open.com.au
Thu Jun 20 18:49:23 CDT 2002
Hello Jeremy -
Many thanks for your contribution. Mike will look at it when he gets back
from his travels next week.
regards
Hugh
On Fri, 21 Jun 2002 06:17, Jeremy Hinton wrote:
> Well, after digging around, i figured why not just do the fix
> myself. So without further ado, following is a patch the basically enables
> the functionality i mentioned below. It adds a new parameter, AuthCheckDN,
> which (if defined and ServerChecksPassword is defined) is the DN used when
> binding to check the password entered. If its not defined and
> ServerChecksPassword is, the current behavior occurs (builds the Auth DN
> from the results of the query). AuthCheckDN is expanded identically to
> BaseDN, with %0 and %1 mapping to UsernameAttr and name, respectively.
> There isn't any error checking on the value, aside from any done in the
> expansion routines.
>
> *** AuthLDAP2.pm.dist Thu Jun 20 15:49:56 2002
> --- AuthLDAP2.pm Thu Jun 20 15:53:29 2002
> ***************
> *** 33,39 ****
> 'SearchFilter' => 'string',
> 'HoldServerConnection' => 'flag',
> 'ServerChecksPassword' => 'flag',
> ! 'NoBindBeforeOp' => 'flag',
> 'Scope' => 'string',
> 'SSLVerify' => 'string',
> 'SSLCiphers' => 'string',
> --- 33,40 ----
> 'SearchFilter' => 'string',
> 'HoldServerConnection' => 'flag',
> 'ServerChecksPassword' => 'flag',
> ! 'AuthCheckDN' => 'string',
> ! 'NoBindBeforeOp' => 'flag',
> 'Scope' => 'string',
> 'SSLVerify' => 'string',
> 'SSLCiphers' => 'string',
> ***************
> *** 348,356 ****
> # Now we have the DN, we can get the server to
> # check the username if necessary
> if ($self->{ServerChecksPassword})
> ! {
> $got_password = 1;
> ! if (!$self->checkPassword($dn, $p->decodedPassword()))
> {
> # LDAP server did not like the password
> $user->get_check->add_attr('Encrypted-Password',
> --- 349,363 ----
> # Now we have the DN, we can get the server to
> # check the username if necessary
> if ($self->{ServerChecksPassword})
> ! {
> ! my $auth_check_dn = $dn;
> ! if ($self->{AuthCheckDN}) {
> ! $auth_check_dn = &Radius::Util::format_special
> ! ($self->{AuthCheckDN},
> ! $p, undef);
> ! }
> $got_password = 1;
> ! if (!$self->checkPassword($auth_check_dn,
> $p->decodedPassword()))
> {
> # LDAP server did not like the password
> $user->get_check->add_attr('Encrypted-Password',
>
> On Thu, 20 Jun 2002, Jeremy Hinton wrote:
> > I would like to be able to change the bind dn when using
> > ServerChecksPassword in AuthBy LDAP2. In digging through AuthLDAP2.pm, it
> > looks like the DN used for binding in this scenario is automatically the
> > one returned from the previous LDAP search. We're using Radiator together
> > with the LDAP server built into the CommuniGate commercial mail server.
> > This LDAP server has a special ability to authenticate via multiple
> > methods, but only if the bind request comes through in a certain format,
> > specifically as "mail=user at domain" or just "user at domain" as the bind dn.
> >
> > What i would love to see is either a new parameter to AuthBy LDAP2
> > (say PasswordCheckDN) or the ability to add an argument to the existing
> > ServerChecksPassword to allow you to use a different format DN for the
> > connection. The value would nee to support the same expansion as the
> > BaseDN parameter. So, im my case, i would use something like this:
> >
> > ServerChecksPassword mail=%U@%R
> >
> > If something like this could be considered it would be greatly
> > appreciated. And many thanks for continuing the hard work on an excellent
> > peice of software!
> >
> > - jeremy
> >
> > // Jeremy Hinton VisiNet
> > // jgh at visi.net NOC Manager
> > // I've wrestled with reality for 35 years, doctor,
> > // and I'm happy to state I finally won out over it. -Elwood P Dowd
>
> // Jeremy Hinton VisiNet
> // jgh at visi.net NOC Manager
> // I've wrestled with reality for 35 years, doctor,
> // and I'm happy to state I finally won out over it. -Elwood P Dowd
>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list