git.ipfire.org Git - thirdparty/freeradius-server.git/commit

Allow authentication retry in winbind

A setup with the following properties:

  * Active Directory backend
  * FreeRadius with eap-inner-proxy
  * Windows client with single sign-on
  * User using different casing in username than in backend

may result in failing connections. It looks like Windows reads the
correct username from the domain server once it has logged in, and uses
that to create the MS-CHAP2-Response attribute. The User-Name attribute
is still the one with the incorrect casing, causing the authentication
to fail.

The introduced config option kicks in after a failed authentication: it
reads the correct username from the backend, tries another
authentication, and uses the found User-Name to calculate
MS-CHAP2-Response if the second authentication works.

author	Herwin Weststrate <herwin@quarantainenet.nl>
	Wed, 9 Nov 2016 09:29:08 +0000 (10:29 +0100)
committer	Herwin Weststrate <herwin@quarantainenet.nl>
	Tue, 20 Dec 2016 11:22:34 +0000 (12:22 +0100)
commit	9f63a6a6e799ae343d71c4510808990cb32923a1
tree	4c7113098be2db7cd8497dfb1893ae7e74fdbc10	tree \| snapshot
parent	b8104730399a9be90c03fdc8c70400b8d871510d	commit \| diff

raddb/mods-available/mschap		diff \| blob \| blame \| history
src/modules/rlm_mschap/auth_wbclient.c		diff \| blob \| blame \| history
src/modules/rlm_mschap/rlm_mschap.c		diff \| blob \| blame \| history
src/modules/rlm_mschap/rlm_mschap.h		diff \| blob \| blame \| history