Thomas Friemelt <[EMAIL PROTECTED]> wrote: > I encountered a behaviour of rad_check_password in freeradius 0.3, which I > don't understand.
It is a bit complicated. > There is a user 'hugo', who has an entry in system's passwd and one entry > in the radius sql database (with different passwords). That isn't very well supported right now. You can do it with configurable fail over, but it's a little complicated. > The user's entry in raddb/users is: > hugo Auth-Type := System > Reply-Message = "Hello, %u" > It is located before any DEFAULT entries. > > Authentication fails when supplying the passwd-password and succeeds > when supplying the sql database-password. Using the passwd-password, the > debug output is: > > rad_check_password: Found Auth-Type System > auth: type Crypt Hmm... it should really say 'Crypt-Local', not 'Crypt'. > auth: Failed to validate the user. You're using a Crypt-Password to check the authentication, I guess... > First of all, the auth_type found by rad_check_password in the > config_items, is System - as expected. But then, in line 258/259 of auth.c > auth_type is overwritten with PW_AUTHTYPE_CRYPT, because freeradius finds > the encrypted password from the sql database in the config_items. Ah, that's incorrect. It shouldn't be re-setting the Auth-Type that you've defined. > (The same may happen, when the user has a password, encrypted or > not, in raddb/users.) Thus in the switch(auth_type) at line 291ff > the wrong case is selected an the supplied password is checked > against the sql password. Yes... > May there be a misconfiguration, or is this an intended behaviour. (Why?) > What do I have to do then, to check the supplied password against the > system password? The problem is that 'rad_check_password' is trying to be too smart. If you specify an Auth-Type, it shouldn't over-write it. I'll fix it today or tomorrow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html