[RADIATOR] Mangling the User-Password between AuthBy clauses
Hugh Irvine
hugh at open.com.au
Tue Oct 2 05:54:06 UTC 2018
Hello Martin -
You will need to do something more like this:
<Handler>
AuthByPolicy ContinueWhileAccept
<AuthBy FILE>
# The filename defaults to %D/users
Filename %D/users
</AuthBy>
<AuthBy RADIUS>
Host localhost
Secret mysecret
ForwardHook sub { my $p = $_[0]; my $fp = $_[1]; \
$p->{DecodedPassword} = "P"; }
</AuthBy>
# Log accounting to the detail file in LogDir
AcctLogFileName %L/detail
</Handler>
You can’t just change the “User-Password”, you need to change “$p->{DecodedPassword}”.
hope that helps
regards
Hugh
> On 2 Oct 2018, at 01:37, Martin Burton <mvb at sanger.ac.uk> wrote:
>
> Hi All,
>
> I'm attempting to set up multi-factor authentication for a service here
> at Sanger using our LDAP for checking passwords and then proxying off to
> a Gemalto Safenet radius server to initiate a Push OTP to the user's mobile.
>
> For this to work, I need to have the user's User-Password be their real
> password for the first check against LDAP, and then replace it with the
> single letter "P" for the subsequent proxied request to the Gemalto server.
>
> The following works for the LDAP case:
>
> <AuthBy LDAP2>
> Identifier Sanger-LDAP
> UseTLS
> SSLVerify none
> Host ***************
> BaseDN ***************
> UsernameAttr uid
> PasswordAttr userPassword
> ServerChecksPassword
> </AuthBy>
>
> <Handler>
> RewriteUsername s/^([^@]+).*/$1/
> AuthBy Sanger-LDAP
> </Handler>
>
> and the following works for the Gemalto Safenet case (i.e any
> User-Password gets rewritten to "P" to trigger a push to the user's phone)
>
> <AuthBy RADIUS>
> Identifier Safenet
> NoForwardAccounting
> RetryTimeout 60
> Retries 1
>
> ForwardHook sub { my $p = $_[0]; my $fp = $_[1]; \
> $fp->change_attr('User-Password', "P"); }
>
> Secret **********
> <Host **********>
> AuthPort 1812
> </Host>
> <Host **********>
> AuthPort 1812
> </Host>
> </AuthBy>
>
> <Handler>
> RewriteUsername s/^([^@]+).*/$1/
> AuthBy Safenet
> </Handler>
>
>
> However, if I try to combine those two with:
>
> <Handler>
> RewriteUsername s/^([^@]+).*/$1/
> AuthByPolicy ContinueUntilReject
> AuthBy Sanger-LDAP
> AuthBy Safenet
> </Handler>
>
> Then the User-Password does not get rewritten before being proxied to
> the Safenet Radius servers.
>
> Is there something I'm missing, or a better way to accomplish what I'm
> trying to achieve here?
>
>
> Best Regards,
>
> Martin.
>
> --
> Martin Burton
> Principal Systems Administrator \\\|||///
> Infrastructure Team \\ ^ ^ //
> Wellcome Sanger Institute ( 6 6 )
> -----------------------------------------oOOo-(_)-oOOo---
> t: +44 (0)1223 496945 http://www.sanger.ac.uk
> Extreme Networks Specialist: a1780000003uG1BAAU
>
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
hugh at open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, macOS, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list