Theparanoidone Theparanoidone wrote: > We are working on a patch. Good, thanks.
> We're of the opinion that Apple's version rlm_mschap / opendir included > with freeradius is missing something. > > It appears they were only considering someone entering a failed > login/password combo... not a user with a password reset or an expired > password. Here is the line from opendir.c: Pretty much, yes. Expired passwords, or password resets are "failed logins", just like incorrect passwords. > ====== > if (status != eDSNoErr) > { > errno = EACCES; > radlog(L_ERR, "rlm_mschap: authentication failed %d", status); /* <-- > returns -14091 (eDSAuthMethodNotSupported) -14090 */ > return RLM_MODULE_REJECT; > } > ====== > > The comment provided makes it seem like they only expected error -14090... So? It's a comment. It doesn't affect the way that the code operates. > -14090: eDSAuthFailed > 0: eDSNoErr > > But what about? > > -14161: eDSAuthNewPasswordRequired > -14162: eDSAuthPasswordExpired They all fall into the same class: failed authentication. > > Possible solutions: > --------------------------- > Solution 1) Edit the opendir.c module to simple detect error status -14161 > and > -14162... and simply set the status to 0 instead. Absolutely not. Expired passwords are *not* OK. > Solution 2) Try and rig up something in Post-Auth-Type REJECT {...} to > override > the failed login and force the response to Auth-Accept. Perhaps, some > pseudo > conf code that says if reject-message == -14162 || reject-message == -14161 > ... > then "ok update auth-type := accept No. That's just as bad. > (PS... looks like this has been an issue for awhile??? we are new to > freeradius... but I found your post here: > > http://www.opensubscriber.com/message/freeradius-de...@lists.freeradius.org/5906511.html > from 3 years ago ... are we the only few interested in port security and a > password policy?) Nonsense. That is not a good conclusion. The real reason is that very few people do password changes via MS-CHAP. Most people do it via Active Directory, LDAP, web pages, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html