Hello Martin -
You will need to do something more like this:
<Handler>
AuthByPolicy ContinueWhileAccept
<AuthBy FILE>
# The filename defaults to %D/users
Filename %D/users
</AuthBy>
<AuthBy RADIUS>
Host localhost
Secret mysecret
ForwardHook sub { my $p = $_[0]; my $fp = $_[1]; \
$p->{DecodedPassword} = "P"; }
</AuthBy>
# Log accounting to the detail file in LogDir
AcctLogFileName %L/detail
</Handler>
You can’t just change the “User-Password”, you need to change
“$p->{DecodedPassword}”.
hope that helps
regards
Hugh
> On 2 Oct 2018, at 01:37, Martin Burton <[email protected]> wrote:
>
> Hi All,
>
> I'm attempting to set up multi-factor authentication for a service here
> at Sanger using our LDAP for checking passwords and then proxying off to
> a Gemalto Safenet radius server to initiate a Push OTP to the user's mobile.
>
> For this to work, I need to have the user's User-Password be their real
> password for the first check against LDAP, and then replace it with the
> single letter "P" for the subsequent proxied request to the Gemalto server.
>
> The following works for the LDAP case:
>
> <AuthBy LDAP2>
> Identifier Sanger-LDAP
> UseTLS
> SSLVerify none
> Host ***************
> BaseDN ***************
> UsernameAttr uid
> PasswordAttr userPassword
> ServerChecksPassword
> </AuthBy>
>
> <Handler>
> RewriteUsername s/^([^@]+).*/$1/
> AuthBy Sanger-LDAP
> </Handler>
>
> and the following works for the Gemalto Safenet case (i.e any
> User-Password gets rewritten to "P" to trigger a push to the user's phone)
>
> <AuthBy RADIUS>
> Identifier Safenet
> NoForwardAccounting
> RetryTimeout 60
> Retries 1
>
> ForwardHook sub { my $p = $_[0]; my $fp = $_[1]; \
> $fp->change_attr('User-Password', "P"); }
>
> Secret **********
> <Host **********>
> AuthPort 1812
> </Host>
> <Host **********>
> AuthPort 1812
> </Host>
> </AuthBy>
>
> <Handler>
> RewriteUsername s/^([^@]+).*/$1/
> AuthBy Safenet
> </Handler>
>
>
> However, if I try to combine those two with:
>
> <Handler>
> RewriteUsername s/^([^@]+).*/$1/
> AuthByPolicy ContinueUntilReject
> AuthBy Sanger-LDAP
> AuthBy Safenet
> </Handler>
>
> Then the User-Password does not get rewritten before being proxied to
> the Safenet Radius servers.
>
> Is there something I'm missing, or a better way to accomplish what I'm
> trying to achieve here?
>
>
> Best Regards,
>
> Martin.
>
> --
> Martin Burton
> Principal Systems Administrator \\\|||///
> Infrastructure Team \\ ^ ^ //
> Wellcome Sanger Institute ( 6 6 )
> -----------------------------------------oOOo-(_)-oOOo---
> t: +44 (0)1223 496945 http://www.sanger.ac.uk
> Extreme Networks Specialist: a1780000003uG1BAAU
>
> _______________________________________________
> radiator mailing list
> [email protected]
> https://lists.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
[email protected]
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, macOS, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
