(RADIATOR) Re: Feature request for AuthBy LDAP2

Hugh Irvine hugh at open.com.au
Thu Jun 20 18:49:23 CDT 2002 

Hello Jeremy -

Many thanks for your contribution. Mike will look at it when he gets back 
from his travels next week.

regards

Hugh


On Fri, 21 Jun 2002 06:17, Jeremy Hinton wrote:
> Well, after digging around, i figured why not just do the fix
> myself. So without further ado, following is a patch the basically enables
> the functionality i mentioned below. It adds a new parameter, AuthCheckDN,
> which (if defined and ServerChecksPassword is defined) is the DN used when
> binding to check the password entered. If its not defined and
> ServerChecksPassword is, the current behavior occurs (builds the Auth DN
> from the results of the query). AuthCheckDN is expanded identically to
> BaseDN, with %0 and %1 mapping to UsernameAttr and name, respectively.
> There isn't any error checking on the value, aside from any done in the
> expansion routines.
>
> *** AuthLDAP2.pm.dist   Thu Jun 20 15:49:56 2002
> --- AuthLDAP2.pm        Thu Jun 20 15:53:29 2002
> ***************
> *** 33,39 ****
>        'SearchFilter'          => 'string',
>        'HoldServerConnection'  => 'flag',
>        'ServerChecksPassword'  => 'flag',
> !      'NoBindBeforeOp'      => 'flag',
>        'Scope'                 => 'string',
>        'SSLVerify'             => 'string',
>        'SSLCiphers'            => 'string',
> --- 33,40 ----
>        'SearchFilter'          => 'string',
>        'HoldServerConnection'  => 'flag',
>        'ServerChecksPassword'  => 'flag',
> !      'AuthCheckDN'           => 'string',
> !      'NoBindBeforeOp'        => 'flag',
>        'Scope'                 => 'string',
>        'SSLVerify'             => 'string',
>        'SSLCiphers'            => 'string',
> ***************
> *** 348,356 ****
>         # Now we have the DN, we can get the server to
>         # check the username if necessary
>         if ($self->{ServerChecksPassword})
> !       {
>             $got_password = 1;
> !           if (!$self->checkPassword($dn, $p->decodedPassword()))
>             {
>                 # LDAP server did not like the password
>                 $user->get_check->add_attr('Encrypted-Password',
> --- 349,363 ----
>         # Now we have the DN, we can get the server to
>         # check the username if necessary
>         if ($self->{ServerChecksPassword})
> !         {
> !             my $auth_check_dn = $dn;
> !             if ($self->{AuthCheckDN}) {
> !                 $auth_check_dn = &Radius::Util::format_special
> !                 ($self->{AuthCheckDN},
> !                  $p, undef);
> !             }
>             $got_password = 1;
> !           if (!$self->checkPassword($auth_check_dn,
> $p->decodedPassword()))
>             {
>                 # LDAP server did not like the password
>                 $user->get_check->add_attr('Encrypted-Password',
>
> On Thu, 20 Jun 2002, Jeremy Hinton wrote:
> > 	I would like to be able to change the bind dn when using
> > ServerChecksPassword in AuthBy LDAP2. In digging through AuthLDAP2.pm, it
> > looks like the DN used for binding in this scenario is automatically the
> > one returned from the previous LDAP search. We're using Radiator together
> > with the LDAP server built into the CommuniGate commercial mail server.
> > This LDAP server has a special ability to authenticate via multiple
> > methods, but only if the bind request comes through in a certain format,
> > specifically as "mail=user at domain" or just "user at domain" as the bind dn.
> >
> > 	What i would love to see is either a new parameter to AuthBy LDAP2
> > (say PasswordCheckDN) or the ability to add an argument to the existing
> > ServerChecksPassword to allow you to use a different format DN for the
> > connection. The value would nee to support the same expansion as the
> > BaseDN parameter. So, im my case, i would use something like this:
> >
> > ServerChecksPassword	mail=%U@%R
> >
> > If something like this could be considered it would be greatly
> > appreciated. And many thanks for continuing the hard work on an excellent
> > peice of software!
> >
> > - jeremy
> >
> > // Jeremy Hinton                                            VisiNet
> > // jgh at visi.net                                         NOC Manager
> > // I've wrestled with reality for 35 years, doctor,
> > // and I'm happy to state I finally won out over it. -Elwood P Dowd
>
> // Jeremy Hinton                                            VisiNet
> // jgh at visi.net                                         NOC Manager
> // I've wrestled with reality for 35 years, doctor,
> // and I'm happy to state I finally won out over it. -Elwood P Dowd
>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list