Fwd: Re: (RADIATOR) Re: Feature request for AuthBy LDAP2

Mike McCauley mikem at open.com.au
Wed Jun 26 22:00:00 CDT 2002


Hello Jeremy,

thanks for the suggestion and the patch.
We have rolled in the patch for the next release. I have made a slight change, 
which allows the DN from the search to be replaced by %0 in your AuthCheckDN.

The patched code is now available on the Radiator 3.1 patches area.

Cheers.


On Thu, 27 Jun 2002 10:00, Mike McCauley wrote:
> ----------  Forwarded Message  ----------
>
> Subject: Re: (RADIATOR) Re: Feature request for AuthBy LDAP2
> Date: Fri, 21 Jun 2002 09:49:23 +1000
> From: Hugh Irvine <hugh at open.com.au>
> To: Jeremy Hinton <jgh at visi.net>, radiator at open.com.au
> Cc: mikem at open.com.au
>
> Hello Jeremy -
>
> Many thanks for your contribution. Mike will look at it when he gets back
> from his travels next week.
>
> regards
>
> Hugh
>
> On Fri, 21 Jun 2002 06:17, Jeremy Hinton wrote:
> > Well, after digging around, i figured why not just do the fix
> > myself. So without further ado, following is a patch the basically
> > enables the functionality i mentioned below. It adds a new parameter,
> > AuthCheckDN, which (if defined and ServerChecksPassword is defined) is
> > the DN used when binding to check the password entered. If its not
> > defined and
> > ServerChecksPassword is, the current behavior occurs (builds the Auth DN
> > from the results of the query). AuthCheckDN is expanded identically to
> > BaseDN, with %0 and %1 mapping to UsernameAttr and name, respectively.
> > There isn't any error checking on the value, aside from any done in the
> > expansion routines.
> >
> > *** AuthLDAP2.pm.dist   Thu Jun 20 15:49:56 2002
> > --- AuthLDAP2.pm        Thu Jun 20 15:53:29 2002
> > ***************
> > *** 33,39 ****
> >        'SearchFilter'          => 'string',
> >        'HoldServerConnection'  => 'flag',
> >        'ServerChecksPassword'  => 'flag',
> > !      'NoBindBeforeOp'      => 'flag',
> >        'Scope'                 => 'string',
> >        'SSLVerify'             => 'string',
> >        'SSLCiphers'            => 'string',
> > --- 33,40 ----
> >        'SearchFilter'          => 'string',
> >        'HoldServerConnection'  => 'flag',
> >        'ServerChecksPassword'  => 'flag',
> > !      'AuthCheckDN'           => 'string',
> > !      'NoBindBeforeOp'        => 'flag',
> >        'Scope'                 => 'string',
> >        'SSLVerify'             => 'string',
> >        'SSLCiphers'            => 'string',
> > ***************
> > *** 348,356 ****
> >         # Now we have the DN, we can get the server to
> >         # check the username if necessary
> >         if ($self->{ServerChecksPassword})
> > !       {
> >             $got_password = 1;
> > !           if (!$self->checkPassword($dn, $p->decodedPassword()))
> >             {
> >                 # LDAP server did not like the password
> >                 $user->get_check->add_attr('Encrypted-Password',
> > --- 349,363 ----
> >         # Now we have the DN, we can get the server to
> >         # check the username if necessary
> >         if ($self->{ServerChecksPassword})
> > !         {
> > !             my $auth_check_dn = $dn;
> > !             if ($self->{AuthCheckDN}) {
> > !                 $auth_check_dn = &Radius::Util::format_special
> > !                 ($self->{AuthCheckDN},
> > !                  $p, undef);
> > !             }
> >             $got_password = 1;
> > !           if (!$self->checkPassword($auth_check_dn,
> > $p->decodedPassword()))
> >             {
> >                 # LDAP server did not like the password
> >                 $user->get_check->add_attr('Encrypted-Password',
> >
> > On Thu, 20 Jun 2002, Jeremy Hinton wrote:
> > > 	I would like to be able to change the bind dn when using
> > > ServerChecksPassword in AuthBy LDAP2. In digging through AuthLDAP2.pm,
> > > it looks like the DN used for binding in this scenario is automatically
> > > the one returned from the previous LDAP search. We're using Radiator
> > > together with the LDAP server built into the CommuniGate commercial
> > > mail server. This LDAP server has a special ability to authenticate via
> > > multiple methods, but only if the bind request comes through in a
> > > certain format, specifically as "mail=user at domain" or just
> > > "user at domain" as the bind dn.
> > >
> > > 	What i would love to see is either a new parameter to AuthBy LDAP2
> > > (say PasswordCheckDN) or the ability to add an argument to the existing
> > > ServerChecksPassword to allow you to use a different format DN for the
> > > connection. The value would nee to support the same expansion as the
> > > BaseDN parameter. So, im my case, i would use something like this:
> > >
> > > ServerChecksPassword	mail=%U@%R
> > >
> > > If something like this could be considered it would be greatly
> > > appreciated. And many thanks for continuing the hard work on an
> > > excellent peice of software!
> > >
> > > - jeremy
> > >
> > > // Jeremy Hinton                                            VisiNet
> > > // jgh at visi.net                                         NOC Manager
> > > // I've wrestled with reality for 35 years, doctor,
> > > // and I'm happy to state I finally won out over it. -Elwood P Dowd
> >
> > // Jeremy Hinton                                            VisiNet
> > // jgh at visi.net                                         NOC Manager
> > // I've wrestled with reality for 35 years, doctor,
> > // and I'm happy to state I finally won out over it. -Elwood P Dowd
> >
> >
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc 
on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X etc etc

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list