Fwd: Re: (RADIATOR) Re: Feature request for AuthBy LDAP2
Mike McCauley
mikem at open.com.au
Wed Jun 26 22:00:00 CDT 2002
Hello Jeremy,
thanks for the suggestion and the patch.
We have rolled in the patch for the next release. I have made a slight change,
which allows the DN from the search to be replaced by %0 in your AuthCheckDN.
The patched code is now available on the Radiator 3.1 patches area.
Cheers.
On Thu, 27 Jun 2002 10:00, Mike McCauley wrote:
> ---------- Forwarded Message ----------
>
> Subject: Re: (RADIATOR) Re: Feature request for AuthBy LDAP2
> Date: Fri, 21 Jun 2002 09:49:23 +1000
> From: Hugh Irvine <hugh at open.com.au>
> To: Jeremy Hinton <jgh at visi.net>, radiator at open.com.au
> Cc: mikem at open.com.au
>
> Hello Jeremy -
>
> Many thanks for your contribution. Mike will look at it when he gets back
> from his travels next week.
>
> regards
>
> Hugh
>
> On Fri, 21 Jun 2002 06:17, Jeremy Hinton wrote:
> > Well, after digging around, i figured why not just do the fix
> > myself. So without further ado, following is a patch the basically
> > enables the functionality i mentioned below. It adds a new parameter,
> > AuthCheckDN, which (if defined and ServerChecksPassword is defined) is
> > the DN used when binding to check the password entered. If its not
> > defined and
> > ServerChecksPassword is, the current behavior occurs (builds the Auth DN
> > from the results of the query). AuthCheckDN is expanded identically to
> > BaseDN, with %0 and %1 mapping to UsernameAttr and name, respectively.
> > There isn't any error checking on the value, aside from any done in the
> > expansion routines.
> >
> > *** AuthLDAP2.pm.dist Thu Jun 20 15:49:56 2002
> > --- AuthLDAP2.pm Thu Jun 20 15:53:29 2002
> > ***************
> > *** 33,39 ****
> > 'SearchFilter' => 'string',
> > 'HoldServerConnection' => 'flag',
> > 'ServerChecksPassword' => 'flag',
> > ! 'NoBindBeforeOp' => 'flag',
> > 'Scope' => 'string',
> > 'SSLVerify' => 'string',
> > 'SSLCiphers' => 'string',
> > --- 33,40 ----
> > 'SearchFilter' => 'string',
> > 'HoldServerConnection' => 'flag',
> > 'ServerChecksPassword' => 'flag',
> > ! 'AuthCheckDN' => 'string',
> > ! 'NoBindBeforeOp' => 'flag',
> > 'Scope' => 'string',
> > 'SSLVerify' => 'string',
> > 'SSLCiphers' => 'string',
> > ***************
> > *** 348,356 ****
> > # Now we have the DN, we can get the server to
> > # check the username if necessary
> > if ($self->{ServerChecksPassword})
> > ! {
> > $got_password = 1;
> > ! if (!$self->checkPassword($dn, $p->decodedPassword()))
> > {
> > # LDAP server did not like the password
> > $user->get_check->add_attr('Encrypted-Password',
> > --- 349,363 ----
> > # Now we have the DN, we can get the server to
> > # check the username if necessary
> > if ($self->{ServerChecksPassword})
> > ! {
> > ! my $auth_check_dn = $dn;
> > ! if ($self->{AuthCheckDN}) {
> > ! $auth_check_dn = &Radius::Util::format_special
> > ! ($self->{AuthCheckDN},
> > ! $p, undef);
> > ! }
> > $got_password = 1;
> > ! if (!$self->checkPassword($auth_check_dn,
> > $p->decodedPassword()))
> > {
> > # LDAP server did not like the password
> > $user->get_check->add_attr('Encrypted-Password',
> >
> > On Thu, 20 Jun 2002, Jeremy Hinton wrote:
> > > I would like to be able to change the bind dn when using
> > > ServerChecksPassword in AuthBy LDAP2. In digging through AuthLDAP2.pm,
> > > it looks like the DN used for binding in this scenario is automatically
> > > the one returned from the previous LDAP search. We're using Radiator
> > > together with the LDAP server built into the CommuniGate commercial
> > > mail server. This LDAP server has a special ability to authenticate via
> > > multiple methods, but only if the bind request comes through in a
> > > certain format, specifically as "mail=user at domain" or just
> > > "user at domain" as the bind dn.
> > >
> > > What i would love to see is either a new parameter to AuthBy LDAP2
> > > (say PasswordCheckDN) or the ability to add an argument to the existing
> > > ServerChecksPassword to allow you to use a different format DN for the
> > > connection. The value would nee to support the same expansion as the
> > > BaseDN parameter. So, im my case, i would use something like this:
> > >
> > > ServerChecksPassword mail=%U@%R
> > >
> > > If something like this could be considered it would be greatly
> > > appreciated. And many thanks for continuing the hard work on an
> > > excellent peice of software!
> > >
> > > - jeremy
> > >
> > > // Jeremy Hinton VisiNet
> > > // jgh at visi.net NOC Manager
> > > // I've wrestled with reality for 35 years, doctor,
> > > // and I'm happy to state I finally won out over it. -Elwood P Dowd
> >
> > // Jeremy Hinton VisiNet
> > // jgh at visi.net NOC Manager
> > // I've wrestled with reality for 35 years, doctor,
> > // and I'm happy to state I finally won out over it. -Elwood P Dowd
> >
> >
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc
on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X etc etc
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list