Michael Joyner wrote:
> What about simply calling a pre-defined command that returns an error
> status of 0 for success and 1 for failure?
> Passing arguments to the command for username + password.
> Under the condition that the Manhattan server does not have shell
> accounts assigned to people, there shouldn't be a high concern form
> username / password sniffing by ps.
>
What I have is a rewrite of the existing function in login.c as Steve
suggested:
static void
check_central_password (const char *username, const char
*plaintext_password)
{
int result;
result = check_ldap_password(username,plaintext_password);
// 0 OK , 1 bad user , 2 bad password, 99 ldap error
if (result == 1)
report_bad_login (L22_MYMANHATTAN_COURSE_NAME, "", "","");
if (result == 2) {
write_central_log(username,L36_WRONG_PASSWORD_EVENT,"",0);
report_bad_login (L22_MYMANHATTAN_COURSE_NAME, "", "","");
}
}
The function check_ldap_password is in a small library that I created
similar to manhat-lib. It in turn uses an ldap library I found had been
loaded with openldap on my Linux server. The connection between the
Manhattan server and the LDAP server can be as secure as you want (or
rather as secure as your LDAP server allows) by encrypting that
connection even if it is on a different box.
All on the central course/LDAP front is working well. I found, however,
that if I create standalone courses with XML -- which should not be
affected by the change in central authenticaion -- the initial passwords
in the user's course area get created with random values. It may be a
side effect of the changes I made but I'm not sure yet. So far in my
tracing I've found that find_this_username(all, username) in
super_xml_course_create.c never succeeds and consequently
derive_password never gets called and the password seems to get created
based on uninitialized garbage. :-(
Back to tracing.
pa
--
Peter Allmaker
MCLA Computer Support Services 413-662-5510
|