Thanks a lot, guys. I am on vacation until Monday, but am very tempted to login to work and give this a try......nah, it can wait until Monday :).
Thanks again for you efforts. John > -----Original Message----- > From: freeradius-users- > bounces+john.kane=prodeasystems....@lists.freeradius.org > [mailto:freeradius-users- > bounces+john.kane=prodeasystems....@lists.freeradius.org] On Behalf Of > Arran Cudbard-Bell > Sent: Thursday, June 25, 2009 9:21 AM > To: FreeRadius users mailing list > Subject: Re: Old password 'grace period' > > On 25/6/09 14:53, Arran Cudbard-Bell wrote: > > On 25/6/09 12:01, a.l.m.bu...@lboro.ac.uk wrote: > >> Hi, > >> > >>> I leave you guys alone for 5 minutes.... > >> > >> 8-) as i said, theres probably a way of doing it > > > > *sigh* the Coffee excuse doesn't work past lunch time does it... > (missed out some curly braces) > > instantiate { > sql_old > } > > authorize { > # Retrieves credentials > sql_new > # Sets auth-type mschap > mschap > } > > authenticate { > Auth-Type MS-CHAP { > mschap { > reject = 2 > } > if(reject){ > # Could alternatively write the value of a custom > attribute into Cleartext-password > # if both old and new passwords were returned in the > call to sql* in authorize. > update control { > Cleartext-Password := > "%{sql_old:SELECT<cleartext password query...>}" > } > # Stop users logging in with null password (if > there's no 'old' password set) > if("%{control:Cleartext-Password}" == ''){ > reject > } > # Remove stale password hashes created on first call > to rlm_mschap > update control { > NT-Password -= "%{control:NT-Password}" > LM-Password -= "%{control:LM-Password}" > } > mschap > } > } > } > > -- > Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), > Authentication, Authorisation and Accounting Officer, > Infrastructure Services (IT Services), > E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT > DDI+FAX: +44 1273 873900 | INT: 3900 > GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily determined by the sender of this message and its contents. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient:(a)any dissemination or copying of this message is strictly prohibited; and(b)immediately notify the sender by return message and destroy any copies of this message in any form(electronic, paper or otherwise) that you have.The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. The authority of the individual sending this message to legally bind Prodea Systems is neither apparent nor implied,and must be independently verified. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
