[RADIATOR] Mangling the User-Password between AuthBy clauses
Martin Burton
mvb at sanger.ac.uk
Mon Oct 1 15:37:33 UTC 2018
Hi All,
I'm attempting to set up multi-factor authentication for a service here
at Sanger using our LDAP for checking passwords and then proxying off to
a Gemalto Safenet radius server to initiate a Push OTP to the user's mobile.
For this to work, I need to have the user's User-Password be their real
password for the first check against LDAP, and then replace it with the
single letter "P" for the subsequent proxied request to the Gemalto server.
The following works for the LDAP case:
<AuthBy LDAP2>
Identifier Sanger-LDAP
UseTLS
SSLVerify none
Host ***************
BaseDN ***************
UsernameAttr uid
PasswordAttr userPassword
ServerChecksPassword
</AuthBy>
<Handler>
RewriteUsername s/^([^@]+).*/$1/
AuthBy Sanger-LDAP
</Handler>
and the following works for the Gemalto Safenet case (i.e any
User-Password gets rewritten to "P" to trigger a push to the user's phone)
<AuthBy RADIUS>
Identifier Safenet
NoForwardAccounting
RetryTimeout 60
Retries 1
ForwardHook sub { my $p = $_[0]; my $fp = $_[1]; \
$fp->change_attr('User-Password', "P"); }
Secret **********
<Host **********>
AuthPort 1812
</Host>
<Host **********>
AuthPort 1812
</Host>
</AuthBy>
<Handler>
RewriteUsername s/^([^@]+).*/$1/
AuthBy Safenet
</Handler>
However, if I try to combine those two with:
<Handler>
RewriteUsername s/^([^@]+).*/$1/
AuthByPolicy ContinueUntilReject
AuthBy Sanger-LDAP
AuthBy Safenet
</Handler>
Then the User-Password does not get rewritten before being proxied to
the Safenet Radius servers.
Is there something I'm missing, or a better way to accomplish what I'm
trying to achieve here?
Best Regards,
Martin.
--
Martin Burton
Principal Systems Administrator \\\|||///
Infrastructure Team \\ ^ ^ //
Wellcome Sanger Institute ( 6 6 )
-----------------------------------------oOOo-(_)-oOOo---
t: +44 (0)1223 496945 http://www.sanger.ac.uk
Extreme Networks Specialist: a1780000003uG1BAAU
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20181001/278974f1/attachment.sig>
More information about the radiator
mailing list