OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Contrib/7357
Full headers

From: jet@transniaga.co.th
Subject: Pass-through radius auth. with RFC2865
 Compose comment
Download message
State:
0 replies:
2 followups: 1 2

Major security issue: yes  no

Notes:

Notification: 


Date: Sun, 19 Aug 2012 17:57:50 +0000
From: jet@transniaga.co.th
To: openldap-its@OpenLDAP.org
Subject: Pass-through radius auth. with RFC2865

Full_Name: Jetasik Anantakunupakorn
Version: 2.4.32
OS: FreeBSD 9.0-RELEASE amd64
URL: http://www.openldap.org/lists/openldap-technical/201208/msg00172.html
Submission from: (NULL) (58.11.65.20)


Pass-through radius authentication in contrib's passwd module(radius.c) does not
include either a NAS-IP or a NAS-Identifier, according to radius RFC 2865 one of
these attributes is mandatory in the access request.

The thing is that the previous version of Radius RFC standard(RFC 2138)
specified that the access request "SHOULD" contain either a NAS-IP or a
NAS-Identifier but the current version use "MUST" instead.

Followup 1

Download message
Date: Tue, 21 Aug 2012 13:30:54 -0700
From: Howard Chu <hyc@symas.com>
To: jet@transniaga.co.th
CC: openldap-its@openldap.org
Subject: Re: (ITS#7357) Pass-through radius auth. with RFC2865

jet@transniaga.co.th wrote:
> Full_Name: Jetasik Anantakunupakorn
> Version: 2.4.32
> OS: FreeBSD 9.0-RELEASE amd64
> URL: http://www.openldap.org/lists/openldap-technical/201208/msg00172.html
> Submission from: (NULL) (58.11.65.20)
> 
> 
> Pass-through radius authentication in contrib's passwd module(radius.c)
does not
> include either a NAS-IP or a NAS-Identifier, according to radius RFC 2865
one of
> these attributes is mandatory in the access request.
> 
> The thing is that the previous version of Radius RFC standard(RFC 2138)
> specified that the access request "SHOULD" contain either a NAS-IP or a
> NAS-Identifier but the current version use "MUST" instead.
> 
A patch for this is now in git master, please test.


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Followup 2

Download message
From: "JET JETASIK" <jet@transniaga.co.th>
To: "'Howard Chu'" <hyc@symas.com>
Cc: <openldap-its@openldap.org>
Subject: RE: (ITS#7357) Pass-through radius auth. with RFC2865
Date: Wed, 22 Aug 2012 12:39:16 +0700

Howard Chu wrote:
> 
> jet@transniaga.co.th wrote:
> > Full_Name: Jetasik Anantakunupakorn
> > Version: 2.4.32
> > OS: FreeBSD 9.0-RELEASE amd64
> > URL:
> > http://www.openldap.org/lists/openldap-technical/201208/msg00172.html
> > Submission from: (NULL) (58.11.65.20)
> >
> >
> > Pass-through radius authentication in contrib's passwd
> > module(radius.c) does not include either a NAS-IP or a NAS-Identifier,
> > according to radius RFC 2865 one of these attributes is mandatory in
the
> access request.
> >
> > The thing is that the previous version of Radius RFC standard(RFC
> > 2138) specified that the access request "SHOULD" contain either a
> > NAS-IP or a NAS-Identifier but the current version use "MUST" instead.
> >
> A patch for this is now in git master, please test.
> 

Awesome!Thanks a lot.
Properly tested with no error.

--
JET JETASIK
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org