Hi All, I'm attempting to set up multi-factor authentication for a service here at Sanger using our LDAP for checking passwords and then proxying off to a Gemalto Safenet radius server to initiate a Push OTP to the user's mobile.
For this to work, I need to have the user's User-Password be their real password for the first check against LDAP, and then replace it with the single letter "P" for the subsequent proxied request to the Gemalto server. The following works for the LDAP case: <AuthBy LDAP2> Identifier Sanger-LDAP UseTLS SSLVerify none Host *************** BaseDN *************** UsernameAttr uid PasswordAttr userPassword ServerChecksPassword </AuthBy> <Handler> RewriteUsername s/^([^@]+).*/$1/ AuthBy Sanger-LDAP </Handler> and the following works for the Gemalto Safenet case (i.e any User-Password gets rewritten to "P" to trigger a push to the user's phone) <AuthBy RADIUS> Identifier Safenet NoForwardAccounting RetryTimeout 60 Retries 1 ForwardHook sub { my $p = $_[0]; my $fp = $_[1]; \ $fp->change_attr('User-Password', "P"); } Secret ********** <Host **********> AuthPort 1812 </Host> <Host **********> AuthPort 1812 </Host> </AuthBy> <Handler> RewriteUsername s/^([^@]+).*/$1/ AuthBy Safenet </Handler> However, if I try to combine those two with: <Handler> RewriteUsername s/^([^@]+).*/$1/ AuthByPolicy ContinueUntilReject AuthBy Sanger-LDAP AuthBy Safenet </Handler> Then the User-Password does not get rewritten before being proxied to the Safenet Radius servers. Is there something I'm missing, or a better way to accomplish what I'm trying to achieve here? Best Regards, Martin. -- Martin Burton Principal Systems Administrator \\\|||/// Infrastructure Team \\ ^ ^ // Wellcome Sanger Institute ( 6 6 ) -----------------------------------------oOOo-(_)-oOOo--- t: +44 (0)1223 496945 http://www.sanger.ac.uk Extreme Networks Specialist: a1780000003uG1BAAU
signature.asc
Description: OpenPGP digital signature
_______________________________________________ radiator mailing list radiator@lists.open.com.au https://lists.open.com.au/mailman/listinfo/radiator