On 10/03/2022 12:57, Gert Doering wrote:
Without this patch, OpenVPN behaviour if more than one plugin wants
to do deferred user/password authentication not well-defined, as
there is just one set of auth control files and a single plugin state.
This patch changes "key state -> plugin_auth" from
On Thu, Mar 10, 2022 at 12:18 PM Gert Doering wrote:
> The actual plugin calls are no longer done with the "do them all"
> function plugin_call() (or plugin_call_ssl()) but plugin.c/plugin.h
> is changed to expose the "call one" function plugin_call_item(), and
> verify_user_pass_plugin() calls t
Hi Gert.
On Thu, Mar 10, 2022 at 3:13 PM Gert Doering wrote:
> Yes, your report triggered this work. I think I misunderstood the
> original scenario (I thought it involved two plugins both going
> "deferred"), but this patch introduces a "short circuit" approach
> to plugin authentication where
Hi,
On Thu, Mar 10, 2022 at 01:57:01PM +, Pete Nelson wrote:
> One of the behaviors that brought this to light was a user who had an LDAP
> (non-deferred) plugin followed by a Duo MFA (deferred) plugin. He noted
> that, even if the LDAP call returned failure, the Duo plugin was still
> called
One of the behaviors that brought this to light was a user who had an LDAP
(non-deferred) plugin followed by a Duo MFA (deferred) plugin. He noted
that, even if the LDAP call returned failure, the Duo plugin was still
called. That would generate a push notification to his phone even though
the au
Without this patch, OpenVPN behaviour if more than one plugin wants
to do deferred user/password authentication not well-defined, as
there is just one set of auth control files and a single plugin state.
This patch changes "key state -> plugin_auth" from a single struct
to an array of MAX_PLUGINS
