-------- Original Message -------- Subject: Re: Old password 'grace period' Date: Thu, 25 Jun 2009 12:11:07 +0100 From: Arran Cudbard-Bell <a.cudbard-b...@sussex.ac.uk> Organization: University of Sussex To: t...@kalik.net [snip]
I have tested something like this yesterday - it doesn't. You can't just replace Cleartext-Password. NT-Password and LM-Passowrd were created for the "new" password and mschap module will reuse them, completely ignoring "old" Cleartext-Password. They need to be removed or replaced before mschap module is called again.
Ahhh ok... Yes, the code agrees with you :) } else if (!password) { RDEBUG2("No Cleartext-Password configured. Cannot create LM-Password."); } else { /* there is a configured Cleartext-Password */ lm_password = radius_pairmake(request, &request->config_items, "LM-Password", "", T_OP_EQ); Writes the NT-Password and LM-Password values back to the control list of the request. But seeing as the values are just being stored in the control list of the request, we can remove them using unlang. authenticate { mschap { update control { Cleartext-Password := "%{sql_new:SELECT <cleartext password query...>}" } mschap { reject = 2 } if(reject){ update control { NT-Password -= "%{control:NT-Password}" LM-Password -= "%{control:LM-Password}" Cleartext-Password := "%{sql_old:SELECT <cleartext password query...>}" } mschap } } } Thanks, Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html