[RADIATOR] Mangling the User-Password between AuthBy clauses

Martin Burton mvb at sanger.ac.uk
Tue Oct 2 10:13:24 UTC 2018 

Thank you Hugh, that did the trick perfectly!

Martin.


On 02/10/18 06:54, Hugh Irvine wrote:
> 
> Hello Martin -
> 
> You will need to do something more like this:
> 
> 
> 
> <Handler>
>         AuthByPolicy ContinueWhileAccept
>         <AuthBy FILE>
>                 # The filename defaults to %D/users
>                 Filename %D/users
>         </AuthBy>
>         <AuthBy RADIUS>
>                 Host localhost
>                 Secret mysecret
>                 ForwardHook sub { my $p = $_[0]; my $fp = $_[1]; \
>                        $p->{DecodedPassword} = "P"; }
>         </AuthBy>
>         # Log accounting to the detail file in LogDir
>         AcctLogFileName %L/detail
> </Handler>
> 
> 
> 
> You can’t just change the “User-Password”, you need to change “$p->{DecodedPassword}”.
> 
> hope that helps
> 
> regards
> 
> Hugh
> 
> 
>> On 2 Oct 2018, at 01:37, Martin Burton <mvb at sanger.ac.uk> wrote:
>>
>> Hi All,
>>
>> I'm attempting to set up multi-factor authentication for a service here
>> at Sanger using our LDAP for checking passwords and then proxying off to
>> a Gemalto Safenet radius server to initiate a Push OTP to the user's mobile.
>>
>> For this to work, I need to have the user's User-Password be their real
>> password for the first check against LDAP, and then replace it with the
>> single letter "P" for the subsequent proxied request to the Gemalto server.
>>
>> The following works for the LDAP case:
>>
>> <AuthBy LDAP2>
>>                Identifier Sanger-LDAP
>>                UseTLS
>>                SSLVerify none
>>                Host ***************
>>                BaseDN ***************
>>                UsernameAttr uid
>>                PasswordAttr userPassword
>>                ServerChecksPassword
>> </AuthBy>
>>
>> <Handler>
>>        RewriteUsername s/^([^@]+).*/$1/
>>        AuthBy Sanger-LDAP
>> </Handler>
>>
>> and the following works for the Gemalto Safenet case (i.e any
>> User-Password gets rewritten to "P" to trigger a push to the user's phone)
>>
>> <AuthBy RADIUS>
>>                Identifier Safenet
>>                NoForwardAccounting
>>                RetryTimeout 60
>>                Retries 1
>>
>>                ForwardHook sub { my $p = $_[0]; my $fp = $_[1]; \
>>                        $fp->change_attr('User-Password', "P"); }
>>
>>                Secret **********
>>                <Host **********>
>>                        AuthPort 1812
>>                </Host>
>>                <Host **********>
>>                        AuthPort 1812
>>                </Host>
>> </AuthBy>
>>
>> <Handler>
>>        RewriteUsername s/^([^@]+).*/$1/
>>        AuthBy Safenet
>> </Handler>
>>
>>
>> However, if I try to combine those two with:
>>
>> <Handler>
>>        RewriteUsername s/^([^@]+).*/$1/
>>        AuthByPolicy ContinueUntilReject
>>        AuthBy Sanger-LDAP
>>        AuthBy Safenet
>> </Handler>
>>
>> Then the User-Password does not get rewritten before being proxied to
>> the Safenet Radius servers.
>>
>> Is there something I'm missing, or a better way to accomplish what I'm
>> trying to achieve here?
>>
>>
>> Best Regards,
>>
>> Martin.
>>
>> -- 
>> Martin Burton
>> Principal Systems Administrator            \\\|||///
>> Infrastructure Team                       \\  ^ ^  //
>> Wellcome Sanger Institute                  (  6 6  )
>> -----------------------------------------oOOo-(_)-oOOo---
>> t: +44 (0)1223 496945             http://www.sanger.ac.uk
>> Extreme Networks Specialist:      a1780000003uG1BAAU
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at lists.open.com.au
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.open.com.au_mailman_listinfo_radiator&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=Pmm7Evpg3H5MI4_C7ltAOg&m=uTRNa5onOSD543P8_O9IhTwJNGcZQB5U3mPzCLZz1ZQ&s=E78np73x4SAxDcxus3R9Nb_iUGeURo0_pcXGRDeZlGw&e=
> 
> 
> --
> 
> Hugh Irvine
> hugh at open.com.au
> 
> Radiator: the most portable, flexible and configurable RADIUS server 
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER, SIM, etc. 
> Full source on Unix, Linux, Windows, macOS, Solaris, VMS, NetWare etc.
> 

-- 
Martin Burton
Principal Systems Administrator            \\\|||///
Infrastructure Team                       \\  ^ ^  //
Wellcome Sanger Institute                  (  6 6  )
-----------------------------------------oOOo-(_)-oOOo---
t: +44 (0)1223 496945             http://www.sanger.ac.uk
Extreme Networks Specialist:      a1780000003uG1BAAU

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20181002/a38057f3/attachment.sig>

More information about the radiator mailing list