# Supports multiple encryption/hash schemes. See "man rlm_pap"
# for details.
#
-# The "auto_header" configuration item can be set to "yes".
-# In this case, the module will look inside of the User-Password
-# attribute for the headers {crypt}, {clear}, etc., and will
-# automatically create the attribute on the right-hand side,
-# with the correct value. It will also automatically handle
-# Base-64 encoded data, hex strings, and binary data.
-#
# For instructions on creating the various types of passwords, see:
#
# http://www.openldap.org/faq/data/cache/347.html
pap {
+ # The "auto_header" configuration item can be set to "yes".
+ # In this case, the module will look inside of the User-Password
+ # attribute for the headers {crypt}, {clear}, etc., and will
+ # automatically create the attribute on the right-hand side,
+ # with the correct value.
auto_header = no
+
+ # By default the server will use heuristics to try and automatically
+ # handle base64 or hex encoded passwords. This behaviour can be
+ # stopped by setting the following to "no".
+# normalise = yes
}
*/
typedef struct rlm_pap_t {
char const *name; /* CONF_SECTION->name, not strdup'd */
- int auto_header;
+ bool auto_header;
int auth_type;
+ bool normify;
} rlm_pap_t;
/*
*/
static const CONF_PARSER module_config[] = {
{ "auto_header", PW_TYPE_BOOLEAN, offsetof(rlm_pap_t,auto_header), NULL, "no" },
+ { "normalise", PW_TYPE_BOOLEAN, offsetof(rlm_pap_t,normify), NULL, "yes" },
{ NULL, -1, 0, NULL, NULL }
};
case PW_SMD5_PASSWORD:
case PW_NT_PASSWORD:
case PW_LM_PASSWORD:
- normify(request, vp, 16); /* ensure it's in the right format */
+ if (inst->normify)
+ normify(request, vp, 16); /* ensure it's in the right format */
found_pw = true;
break;
case PW_SHA_PASSWORD:
case PW_SSHA_PASSWORD:
- normify(request, vp, 20); /* ensure it's in the right format */
+ if (inst->normify)
+ normify(request, vp, 20); /* ensure it's in the right format */
found_pw = true;
break;
* PAP authentication functions
*/
-static int pap_auth_clear(REQUEST *request, VALUE_PAIR *vp)
+static int pap_auth_clear(UNUSED rlm_pap_t *inst, REQUEST *request, VALUE_PAIR *vp)
{
RDEBUG("Using clear text password \"%s\"", vp->vp_strvalue);
return RLM_MODULE_OK;
}
-static int pap_auth_crypt(REQUEST *request, VALUE_PAIR *vp)
+static int pap_auth_crypt(UNUSED rlm_pap_t *inst, REQUEST *request, VALUE_PAIR *vp)
{
RDEBUG("Using CRYPT password \"%s\"", vp->vp_strvalue);
return RLM_MODULE_OK;
}
-static int pap_auth_md5(REQUEST *request, VALUE_PAIR *vp)
+static int pap_auth_md5(rlm_pap_t *inst, REQUEST *request, VALUE_PAIR *vp)
{
FR_MD5_CTX md5_context;
uint8_t binbuf[128];
RDEBUG("Using MD5 encryption.");
- normify(request, vp, 16);
+ if (inst->normify)
+ normify(request, vp, 16);
if (vp->length != 16) {
REDEBUG("Configured MD5 password has incorrect length");
return RLM_MODULE_REJECT;
}
-static int pap_auth_smd5(REQUEST *request, VALUE_PAIR *vp)
+static int pap_auth_smd5(rlm_pap_t *inst, REQUEST *request, VALUE_PAIR *vp)
{
FR_MD5_CTX md5_context;
uint8_t binbuf[128];
RDEBUG("Using SMD5 encryption.");
- normify(request, vp, 16);
+ if (inst->normify)
+ normify(request, vp, 16);
if (vp->length <= 16) {
REDEBUG("Configured SMD5 password has incorrect length");
return RLM_MODULE_REJECT;
return RLM_MODULE_OK;
}
-static int pap_auth_sha(REQUEST *request, VALUE_PAIR *vp)
+static int pap_auth_sha(rlm_pap_t *inst, REQUEST *request, VALUE_PAIR *vp)
{
fr_SHA1_CTX sha1_context;
uint8_t binbuf[128];
RDEBUG("Using SHA1 encryption.");
- normify(request, vp, 20);
+ if (inst->normify)
+ normify(request, vp, 20);
if (vp->length != 20) {
REDEBUG("SHA1 password has incorrect length");
return RLM_MODULE_REJECT;
return RLM_MODULE_OK;
}
-static int pap_auth_ssha(REQUEST *request, VALUE_PAIR *vp)
+static int pap_auth_ssha(rlm_pap_t *inst, REQUEST *request, VALUE_PAIR *vp)
{
fr_SHA1_CTX sha1_context;
uint8_t binbuf[128];
RDEBUG("Using SSHA encryption.");
- normify(request, vp, 20);
+ if (inst->normify)
+ normify(request, vp, 20);
if (vp->length <= 20) {
REDEBUG("SSHA password has incorrect length");
return RLM_MODULE_REJECT;
return RLM_MODULE_OK;
}
-static int pap_auth_nt(REQUEST *request, VALUE_PAIR *vp)
+static int pap_auth_nt(rlm_pap_t *inst, REQUEST *request, VALUE_PAIR *vp)
{
uint8_t binbuf[16];
char charbuf[32 + 1];
RDEBUG("Using NT encryption.");
- normify(request, vp, 16);
+ if (inst->normify)
+ normify(request, vp, 16);
if (vp->length != 16) {
REDEBUG("Configured NT-Password has incorrect length");
return RLM_MODULE_REJECT;
}
-static int pap_auth_lm(REQUEST *request, VALUE_PAIR *vp)
+static int pap_auth_lm(rlm_pap_t *inst, REQUEST *request, VALUE_PAIR *vp)
{
uint8_t binbuf[16];
char charbuf[32 + 1];
RDEBUG("Using LM encryption.");
- normify(request, vp, 16);
+ if (inst->normify)
+ normify(request, vp, 16);
if (vp->length != 16) {
REDEBUG("Configure LM-Password has incorrect length");
return RLM_MODULE_REJECT;
return RLM_MODULE_OK;
}
-static int pap_auth_ns_mta_md5(REQUEST *request, VALUE_PAIR *vp)
+static int pap_auth_ns_mta_md5(UNUSED rlm_pap_t *inst, REQUEST *request, VALUE_PAIR *vp)
{
FR_MD5_CTX md5_context;
uint8_t binbuf[128];
/*
* Authenticate the user via one of any well-known password.
*/
-static rlm_rcode_t mod_authenticate(UNUSED void *instance, REQUEST *request)
+static rlm_rcode_t mod_authenticate(void *instance, REQUEST *request)
{
+ rlm_pap_t *inst = instance;
VALUE_PAIR *vp;
rlm_rcode_t rc = RLM_MODULE_INVALID;
vp_cursor_t cursor;
- int (*auth_func)(REQUEST *, VALUE_PAIR *) = NULL;
+ int (*auth_func)(rlm_pap_t *, REQUEST *, VALUE_PAIR *) = NULL;
if (!request->password ||
/*
* Authenticate, and return.
*/
- rc = auth_func(request, vp);
+ rc = auth_func(inst, request, vp);
if (rc == RLM_MODULE_REJECT) {
RDEBUG("Passwords don't match");