[RADIATOR] Mangling the User-Password between AuthBy clauses

Mon, 01 Oct 2018 08:38:26 -0700 

Hi All,

I'm attempting to set up multi-factor authentication for a service here
at Sanger using our LDAP for checking passwords and then proxying off to
a Gemalto Safenet radius server to initiate a Push OTP to the user's mobile.

For this to work, I need to have the user's User-Password be their real
password for the first check against LDAP, and then replace it with the
single letter "P" for the subsequent proxied request to the Gemalto server.

The following works for the LDAP case:

<AuthBy LDAP2>
                Identifier Sanger-LDAP
                UseTLS
                SSLVerify none
                Host ***************
                BaseDN ***************
                UsernameAttr uid
                PasswordAttr userPassword
                ServerChecksPassword
</AuthBy>

<Handler>
        RewriteUsername s/^([^@]+).*/$1/
        AuthBy Sanger-LDAP
</Handler>

and the following works for the Gemalto Safenet case (i.e any
User-Password gets rewritten to "P" to trigger a push to the user's phone)

<AuthBy RADIUS>
                Identifier Safenet
                NoForwardAccounting
                RetryTimeout 60
                Retries 1

                ForwardHook sub { my $p = $_[0]; my $fp = $_[1]; \
                        $fp->change_attr('User-Password', "P"); }

                Secret **********
                <Host **********>
                        AuthPort 1812
                </Host>
                <Host **********>
                        AuthPort 1812
                </Host>
</AuthBy>

<Handler>
        RewriteUsername s/^([^@]+).*/$1/
        AuthBy Safenet
</Handler>


However, if I try to combine those two with:

<Handler>
        RewriteUsername s/^([^@]+).*/$1/
        AuthByPolicy ContinueUntilReject
        AuthBy Sanger-LDAP
        AuthBy Safenet
</Handler>

Then the User-Password does not get rewritten before being proxied to
the Safenet Radius servers.

Is there something I'm missing, or a better way to accomplish what I'm
trying to achieve here?


Best Regards,

Martin.

-- 
Martin Burton
Principal Systems Administrator            \\\|||///
Infrastructure Team                       \\  ^ ^  //
Wellcome Sanger Institute                  (  6 6  )
-----------------------------------------oOOo-(_)-oOOo---
t: +44 (0)1223 496945             http://www.sanger.ac.uk
Extreme Networks Specialist:      a1780000003uG1BAAU

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator

Reply via email to